Description
Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially causing the webhook server to be killed by OOM. All Volcano deployments with the webhook server exposed to in-cluster traffic are affected. This vulnerability is fixed in v1.14.2, v1.13.3, and v1.12.4.
Published: 2026-05-27
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Volcano webhook server lacks a size limit on HTTP request bodies, enabling an in‑cluster pod to send an arbitrarily large payload that can exhaust memory and terminate the process. This failure to enforce resource bounds is a classic resource‑exhaustion flaw (CWE‑400 and CWE‑770) that results in service disruption as the webhook server is killed by the operating system.

Affected Systems

Deployments of Volcano version 1.14.2, 1.13.3, and 1.12.4 contain the fix; any earlier releases of the Volcano batch scheduler are vulnerable. All webhook servers that are reachable from in‑cluster pods are affected, as any pod can contact the endpoint.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity. Based on the description, it is inferred that the vulnerability can be triggered from any pod within the cluster, implying an internal attack vector that does not require privileged access. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, suggesting that public exploitation may be limited, but the potential for application outage remains high. Patch or mitigate the request size to reduce the likelihood of an OOM crash.

Generated by OpenCVE AI on May 27, 2026 at 22:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Volcano deployment to at least v1.14.2, v1.13.3, or v1.12.4 depending on your current version.
  • If an immediate upgrade is not possible, deploy a reverse proxy or use an ingress controller that enforces a maximum HTTP request body size to mitigate the risk of OOM attacks.
  • Continuously monitor cluster logs for crash events from the Volcano webhook server and adjust resource limits if necessary.

Generated by OpenCVE AI on May 27, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8wxp-xxp2-rcgx Volcano's webhook server vulnerable to OOM due to unbounded HTTP request body size
History

Wed, 27 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially causing the webhook server to be killed by OOM. All Volcano deployments with the webhook server exposed to in-cluster traffic are affected. This vulnerability is fixed in v1.14.2, v1.13.3, and v1.12.4.
Title Volcano: Webhook server vulnerable to OOM due to unbounded HTTP request body size
Weaknesses CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T20:56:47.220Z

Reserved: 2026-05-05T16:33:55.844Z

Link: CVE-2026-44247

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T22:16:35.507

Modified: 2026-05-27T22:16:35.507

Link: CVE-2026-44247

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T22:45:44Z

Weaknesses