CVE-2026-29954
SSRF and HTTP Header Injection in KubePlus Webhook Components
Publication date: 2026-03-30
Last updated on: 2026-04-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cloudark | kubeplus | 4.1.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29954 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in KubePlus, specifically affecting the mutating webhook and kubeconfiggenerator components when processing the chartURL field of ResourceComposition resources.
The vulnerability arises because the chartURL field is only URL-encoded without validating the target address, allowing attackers to make the server send requests to arbitrary internal or external services.
More critically, the kubeconfiggenerator component downloads charts using a wget command where the chartURL is directly concatenated into the command line without sanitization. This allows attackers to inject arbitrary wget command-line options, notably the --header option, enabling arbitrary HTTP header injection.
This combination of SSRF and command injection enables attackers with Provider privileges to access internal services and cloud metadata endpoints, potentially stealing IAM credentials and bypassing authentication.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to internal cluster services and cloud metadata endpoints.
- Attackers can perform SSRF attacks to make the server send requests to internal or cloud metadata services.
- Through command injection in wget, attackers can inject arbitrary HTTP headers such as 'Metadata-Flavor: Google' to access Google Cloud Platform metadata services.
- This can lead to theft of IAM credentials, enabling attackers to access cloud resources and potentially escalate privileges.
- Attackers can also inject authorization headers to bypass authentication on some services.
Overall, the vulnerability can result in high confidentiality loss, including theft of sensitive credentials, with low integrity and no availability impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2026-29954 involves monitoring for unusual or unauthorized HTTP requests originating from the KubePlus components, especially those targeting internal services or cloud metadata endpoints.
Specifically, you can look for SSRF attempts where the chartURL parameter is used to make requests to internal IPs such as 169.254.169.254 (cloud metadata service).
Additionally, detection can focus on command injection attempts in wget commands, particularly those including injected --header options.
- Monitor logs of the mutating webhook and kubeconfiggenerator components for suspicious chartURL values containing wget command options like '--header'.
- Use network monitoring tools or packet capture (e.g., tcpdump) to detect outbound HTTP requests from KubePlus pods to internal or cloud metadata IPs.
- Example command to capture suspicious outbound requests: tcpdump -i <interface> host 169.254.169.254
- Check Kubernetes audit logs or API server logs for ResourceComposition resources with unusual or suspicious chartURL fields.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps focus on restricting the ability of KubePlus components to make unauthorized outbound network requests.
- Implement Kubernetes NetworkPolicies to restrict outbound network access from KubePlus pods, preventing connections to internal services and cloud metadata endpoints.
- Review and sanitize the chartURL input in ResourceComposition resources to prevent injection of malicious wget command options.
- Update or patch KubePlus to a version where this vulnerability is fixed, if available.
- Monitor logs for suspicious activity related to this vulnerability and revoke any compromised credentials if detected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-29954 allows attackers to perform SSRF and inject arbitrary HTTP headers to access internal services and cloud metadata endpoints, potentially leading to theft of IAM credentials and authentication bypass.
Such unauthorized access to sensitive credentials and internal resources can result in data breaches or unauthorized data access, which may violate compliance requirements under standards like GDPR or HIPAA that mandate protection of sensitive data and access controls.
Therefore, this vulnerability poses a significant risk to compliance by enabling attackers to bypass security controls and potentially access or exfiltrate sensitive information.