Description
Flannel is a network fabric for containers, designed for Kubernetes. The Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. In versions of Flannel prior to 0.28.2, this Extension backend is vulnerable to a command injection that allows an attacker who can set Kubernetes Node annotations to achieve root-level arbitrary command execution on every flannel node in the cluster. The Extension backend's SubnetAddCommand and SubnetRemoveCommand receive attacker-controlled data via stdin (from the `flannel.alpha.coreos.com/backend-data` Node annotation). The content of this annotation is unmarshalled and piped directly to a shell command without checks. Kubernetes clusters using Flannel with the Extension backend are affected by this vulnerability. Other backends such as vxlan and wireguard are unaffected. The vulnerability is fixed in version v0.28.2. As a workaround, use Flannel with another backend such as vxlan or wireguard.
Published: 2026-03-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate Patch
AI Analysis

Impact

Flannel, the networking fabric for Kubernetes, contains a command injection vulnerability in its experimental Extension backend. By inserting crafted data into the Kubernetes Node annotation "flannel.alpha.coreos.com/backend-data", an attacker can have the unvalidated string streamed into a shell command. The result is arbitrary command execution with root privileges on every Flannel node in the cluster. This weakness is a classic command injection (CWE‑77) and carries a high severity, with a CVSS score of 7.5.

Affected Systems

The flaw impacts the flannel‑io Flannel project for all releases prior to 0.28.2 when the Extension backend is enabled. Nodes configured with the Extension backend are affected. Stand‑alone backends such as vxlan and wireguard remain unaffected.

Risk and Exploitability

The vulnerability is not listed in CISA’s KEV catalog and an EPSS score is not provided, so the exact likelihood of exploitation is unknown. However, the attack path is straightforward for anyone who can write or modify Node annotations, which typically requires cluster administrator privileges. Given the 7.5 CVSS score, the risk to confidentiality, integrity, and availability is significant if the vulnerability is exploited.

Generated by OpenCVE AI on March 27, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flannel to version 0.28.2 or later.
  • If an upgrade is not possible, reconfigure Flannel to use the vxlan or wireguard backend instead of the Extension backend.
  • Restrict or disable the ability for non‑admin users to set "flannel.alpha.coreos.com/backend-data" annotations on nodes.
  • Verify that all Kubernetes nodes run the fixed version or are migrated to an unaffected backend before enabling any annotation‑based configuration.

Generated by OpenCVE AI on March 27, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vchx-5pr6-ffx2 Flannel has cross-node remote code execution via extension backend BackendData injection
History

Fri, 27 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Flannel is a network fabric for containers, designed for Kubernetes. The Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. In versions of Flannel prior to 0.28.2, this Extension backend is vulnerable to a command injection that allows an attacker who can set Kubernetes Node annotations to achieve root-level arbitrary command execution on every flannel node in the cluster. The Extension backend's SubnetAddCommand and SubnetRemoveCommand receive attacker-controlled data via stdin (from the `flannel.alpha.coreos.com/backend-data` Node annotation). The content of this annotation is unmarshalled and piped directly to a shell command without checks. Kubernetes clusters using Flannel with the Extension backend are affected by this vulnerability. Other backends such as vxlan and wireguard are unaffected. The vulnerability is fixed in version v0.28.2. As a workaround, use Flannel with another backend such as vxlan or wireguard.
Title Flannel vulnerable to cross-node remote code execution via extension backend BackendData injection
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:31:48.276Z

Reserved: 2026-03-11T14:47:05.684Z

Link: CVE-2026-32241

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T20:16:30.570

Modified: 2026-03-27T20:16:30.570

Link: CVE-2026-32241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:27:31Z

Weaknesses