Description
IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were compromised (e.g. via supply chain attack or container escape), an attacker could leverage these excessive permissions to read, modify, or delete Secrets in the namespace, potentially exposing credentials and other sensitive data. This issue has been patched in versions 1.11.7, 1.12.4, and 1.13.0.
Published: 2026-06-12
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The IP Address Manager (IPAM) controller’s ClusterRole in metal3-io’s IPAM was granted full Create, Read, Update, Delete, Patch, and Watch permissions on core/v1 Secrets, even though the controller never accesses these resources during normal operation. If an attacker compromises the controller pod—through a supply‑chain intrusion, container escape, or other method—they can read, modify, or delete Secrets in the namespace. This allows disclosure of credentials, configuration data, or other sensitive information that could facilitate further attacks or disrupt cluster operations.

Affected Systems

metal3-io IP Address Manager (IPAM) versions prior to 1.11.7, 1.12.4, and 1.13.0 are affected. The vulnerability has been resolved in these versions and later releases.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity, and the EPSS score of less than 1% suggests the likelihood of exploitation is low under current conditions. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to require a compromise of the controller pod, which could occur via a supply‑chain attack or container escape. Once compromised, the attacker can use the over‑privileged role to read, modify, or delete Secrets, potentially exposing sensitive data and enabling further malicious activity.

Generated by OpenCVE AI on June 12, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade metal3-io IP Address Manager to version 1.11.7, 1.12.4, 1.13.0, or later to remove the excessive Secrets permissions.
  • If an upgrade is not immediately possible, re‑define the IPAM controller’s ClusterRole to remove CRUD permissions on core/v1 Secrets, applying least‑privilege RBAC.
  • Implement monitoring or logging of secret access and pod escape events to detect any abuse of the privileged role promptly.

Generated by OpenCVE AI on June 12, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-49pm-43hf-6xfq IPAM controller service account granted unnecessary full access to Secrets
History

Sat, 13 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Metal3-io
Metal3-io ip-address-manager
Vendors & Products Metal3-io
Metal3-io ip-address-manager

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were compromised (e.g. via supply chain attack or container escape), an attacker could leverage these excessive permissions to read, modify, or delete Secrets in the namespace, potentially exposing credentials and other sensitive data. This issue has been patched in versions 1.11.7, 1.12.4, and 1.13.0.
Title IPAM controller service account granted unnecessary full access to Secrets
Weaknesses CWE-250
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Metal3-io Ip-address-manager
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-13T03:18:15.986Z

Reserved: 2026-05-18T22:07:37.435Z

Link: CVE-2026-47190

cve-icon Vulnrichment

Updated: 2026-06-13T03:18:09.572Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-12T16:16:29.643

Modified: 2026-06-12T16:24:31.187

Link: CVE-2026-47190

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:20:05Z

Weaknesses
  • CWE-250

    Execution with Unnecessary Privileges