Vulnerability Description
Kube-router is a turnkey solution for Kubernetes networking. Prior to version 2.8.0, Kube-router's proxy module does not validate externalIPs or loadBalancer IPs before programming them into the node's network configuration. Version 2.8.0 contains a patch for the issue. Available workarounds include enabling DenyServiceExternalIPs feature gate, deploying admission policy, restricting service creation RBAC, monitoring service changes, and applying BGP prefix filtering.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kube-Router | Kube-Router | < 2.8.0 |
Related Weaknesses (CWE)
References
- https://github.com/cloudnativelabs/kube-router/commit/a1f0b2eea3ee0f66b9a5b5c49dPatch
- https://github.com/cloudnativelabs/kube-router/releases/tag/v2.8.0ProductRelease Notes
- https://github.com/cloudnativelabs/kube-router/security/advisories/GHSA-phqm-jgcExploitMitigationPatch
- https://github.com/cloudnativelabs/kube-router/security/advisories/GHSA-phqm-jgcExploitMitigationPatch
FAQ
What is CVE-2026-32254?
CVE-2026-32254 is a vulnerability with a CVSS score of 7.1 (HIGH). Kube-router is a turnkey solution for Kubernetes networking. Prior to version 2.8.0, Kube-router's proxy module does not validate externalIPs or loadBalancer IPs before programming them into the node'...
How severe is CVE-2026-32254?
CVE-2026-32254 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32254?
Check the references section above for vendor advisories and patch information. Affected products include: Kube-Router Kube-Router.