Description
Kube-router is a turnkey solution for Kubernetes networking. Prior to version 2.8.0, Kube-router's proxy module does not validate externalIPs or loadBalancer IPs before programming them into the node's network configuration. Version 2.8.0 contains a patch for the issue. Available workarounds include enabling DenyServiceExternalIPs feature gate, deploying admission policy, restricting service creation RBAC, monitoring service changes, and applying BGP prefix filtering.
Published: 2026-03-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Network Traffic Hijacking
Action: Immediate Patch
AI Analysis

Impact

Kube‑router’s proxy module, prior to version 2.8.0, fails to validate the externalIPs or LoadBalancer IPs that are assigned to a service before programming them into a node’s network configuration. This flaw permits a cluster administrator or any user with sufficient RBAC permissions to introduce arbitrary IP addresses into the cluster, effectively hijacking traffic that matches those IPs across the entire Kubernetes environment. The vulnerability is identified as CWE‑284 (Improper Authorization).

Affected Systems

All releases of cloudnativelabs:kube‑router older than v2.8.0 are affected. Any deployment that uses the proxy module and allows services to specify externalIPs or LoadBalancer IPs is vulnerable, regardless of the underlying Kubernetes version. The issue is fixed in kube‑router v2.8.0 and later releases.

Risk and Exploitability

The CVSS score of 7.1 indicates a high-impact vulnerability. The EPSS score is reported to be less than 1 %, implying that exploitation is currently uncommon in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the ability to create or modify services with arbitrary externalIPs or LoadBalancer IPs, typically a privilege reserved for cluster administrators or highly privileged users. Once a malicious IP is injected, an attacker can redirect or hijack traffic destined for any pod exposed through the affected service. There is no evidence from the CVE description of a denial‑of‑service capability beyond traffic hijacking.

Generated by OpenCVE AI on March 19, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply kube‑router version 2.8.0 or later.
  • Enable the DenyServiceExternalIPs feature gate.
  • Deploy admission policies that reject externalIPs configurations.
  • Restrict RBAC permissions for creating services that include externalIPs or loadBalancer IPs.
  • Monitor service changes for unexpected externalIPs.
  • Implement BGP prefix filtering to control traffic propagation.

Generated by OpenCVE AI on March 19, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-phqm-jgc3-qf8g Kube-router Proxy Module Blindly Trusts ExternalIPs/LoadBalancer IPs Enabling Cluster-Wide Traffic Hijacking and DNS DoS
History

Thu, 19 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Kube-router
Kube-router kube-router
CPEs cpe:2.3:a:kube-router:kube-router:*:*:*:*:*:kubernetes:*:*
Vendors & Products Kube-router
Kube-router kube-router

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Cloudnativelabs
Cloudnativelabs kube-router
Vendors & Products Cloudnativelabs
Cloudnativelabs kube-router

Wed, 18 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
Description Kube-router is a turnkey solution for Kubernetes networking. Prior to version 2.8.0, Kube-router's proxy module does not validate externalIPs or loadBalancer IPs before programming them into the node's network configuration. Version 2.8.0 contains a patch for the issue. Available workarounds include enabling DenyServiceExternalIPs feature gate, deploying admission policy, restricting service creation RBAC, monitoring service changes, and applying BGP prefix filtering.
Title Kube-router Proxy Module Blindly Trusts ExternalIPs/LoadBalancer IPs Enabling Cluster-Wide Traffic Hijacking and DNS DoS
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Cloudnativelabs Kube-router
Kube-router Kube-router
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T13:35:56.647Z

Reserved: 2026-03-11T14:47:05.686Z

Link: CVE-2026-32254

cve-icon Vulnrichment

Updated: 2026-03-18T13:35:47.222Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T04:17:24.340

Modified: 2026-03-19T18:06:51.620

Link: CVE-2026-32254

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:59:25Z

Weaknesses