CVE-2026-29954
Received Received - Intake
SSRF and HTTP Header Injection in KubePlus Webhook Components

Publication date: 2026-03-30

Last updated on: 2026-04-06

Assigner: MITRE

Description
In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address. More critically, when kubeconfiggenerator uses wget to download charts, the chartURL is directly concatenated into the command, allowing attackers to inject wget's `--header` option to achieve arbitrary HTTP header injection.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-06
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29954
EUVD
EUVD-2026-17133
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cloudark kubeplus 4.1.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29954 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in KubePlus, specifically affecting the mutating webhook and kubeconfiggenerator components when processing the chartURL field of ResourceComposition resources.

The vulnerability arises because the chartURL field is only URL-encoded without validating the target address, allowing attackers to make the server send requests to arbitrary internal or external services.

More critically, the kubeconfiggenerator component downloads charts using a wget command where the chartURL is directly concatenated into the command line without sanitization. This allows attackers to inject arbitrary wget command-line options, notably the --header option, enabling arbitrary HTTP header injection.

This combination of SSRF and command injection enables attackers with Provider privileges to access internal services and cloud metadata endpoints, potentially stealing IAM credentials and bypassing authentication.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to internal cluster services and cloud metadata endpoints.

  • Attackers can perform SSRF attacks to make the server send requests to internal or cloud metadata services.
  • Through command injection in wget, attackers can inject arbitrary HTTP headers such as 'Metadata-Flavor: Google' to access Google Cloud Platform metadata services.
  • This can lead to theft of IAM credentials, enabling attackers to access cloud resources and potentially escalate privileges.
  • Attackers can also inject authorization headers to bypass authentication on some services.

Overall, the vulnerability can result in high confidentiality loss, including theft of sensitive credentials, with low integrity and no availability impact.

Detection Guidance

Detection of CVE-2026-29954 involves monitoring for unusual or unauthorized HTTP requests originating from the KubePlus components, especially those targeting internal services or cloud metadata endpoints.

Specifically, you can look for SSRF attempts where the chartURL parameter is used to make requests to internal IPs such as 169.254.169.254 (cloud metadata service).

Additionally, detection can focus on command injection attempts in wget commands, particularly those including injected --header options.

  • Monitor logs of the mutating webhook and kubeconfiggenerator components for suspicious chartURL values containing wget command options like '--header'.
  • Use network monitoring tools or packet capture (e.g., tcpdump) to detect outbound HTTP requests from KubePlus pods to internal or cloud metadata IPs.
  • Example command to capture suspicious outbound requests: tcpdump -i <interface> host 169.254.169.254
  • Check Kubernetes audit logs or API server logs for ResourceComposition resources with unusual or suspicious chartURL fields.
Mitigation Strategies

Immediate mitigation steps focus on restricting the ability of KubePlus components to make unauthorized outbound network requests.

  • Implement Kubernetes NetworkPolicies to restrict outbound network access from KubePlus pods, preventing connections to internal services and cloud metadata endpoints.
  • Review and sanitize the chartURL input in ResourceComposition resources to prevent injection of malicious wget command options.
  • Update or patch KubePlus to a version where this vulnerability is fixed, if available.
  • Monitor logs for suspicious activity related to this vulnerability and revoke any compromised credentials if detected.
Compliance Impact

CVE-2026-29954 allows attackers to perform SSRF and inject arbitrary HTTP headers to access internal services and cloud metadata endpoints, potentially leading to theft of IAM credentials and authentication bypass.

Such unauthorized access to sensitive credentials and internal resources can result in data breaches or unauthorized data access, which may violate compliance requirements under standards like GDPR or HIPAA that mandate protection of sensitive data and access controls.

Therefore, this vulnerability poses a significant risk to compliance by enabling attackers to bypass security controls and potentially access or exfiltrate sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29954. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart