CVE-2026-32241
Received Received - Intake
Command Injection in Flannel Extension Backend Enables Root Execution

Publication date: 2026-03-27

Last updated on: 2026-04-08

Assigner: GitHub, Inc.

Description
Flannel is a network fabric for containers, designed for Kubernetes. The Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. In versions of Flannel prior to 0.28.2, this Extension backend is vulnerable to a command injection that allows an attacker who can set Kubernetes Node annotations to achieve root-level arbitrary command execution on every flannel node in the cluster. The Extension backend's SubnetAddCommand and SubnetRemoveCommand receive attacker-controlled data via stdin (from the `flannel.alpha.coreos.com/backend-data` Node annotation). The content of this annotation is unmarshalled and piped directly to a shell command without checks. Kubernetes clusters using Flannel with the Extension backend are affected by this vulnerability. Other backends such as vxlan and wireguard are unaffected. The vulnerability is fixed in version v0.28.2. As a workaround, use Flannel with another backend such as vxlan or wireguard.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32241
EUVD
EUVD-2026-16771
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
flannel-io flannel to 0.28.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32241 is a command injection vulnerability in the Flannel Kubernetes networking project's experimental Extension backend in versions prior to 0.28.2.

The Extension backend allows users to prototype new backend types by executing shell commands stored in Kubernetes Node annotations.

The vulnerability occurs because the SubnetAddCommand and SubnetRemoveCommand receive attacker-controlled data via the 'flannel.alpha.coreos.com/backend-data' Node annotation, which is unmarshalled and piped directly to a shell command without validation or sanitization.

An attacker who can modify Kubernetes Node annotations can exploit this to execute arbitrary commands with root privileges on every Flannel node in the cluster.

Other Flannel backends such as vxlan and wireguard are not affected by this vulnerability.

Impact Analysis

This vulnerability can have a severe impact because it allows an attacker with the ability to modify Kubernetes Node annotations to execute arbitrary commands with root privileges on all Flannel nodes in the cluster.

The impact includes full compromise of confidentiality, integrity, and availability of the affected nodes.

Since the attacker gains root-level arbitrary command execution, they can potentially control the entire cluster's network fabric, disrupt services, steal sensitive data, or deploy further attacks.

Detection Guidance

This vulnerability involves the Flannel Extension backend processing attacker-controlled data from Kubernetes Node annotations without validation, leading to command injection.

Detection involves checking if your Kubernetes cluster is using Flannel with the experimental Extension backend prior to version 0.28.2.

  • Inspect Kubernetes Node annotations for the presence of the key `flannel.alpha.coreos.com/backend-data`.
  • Use kubectl commands to list node annotations, for example: `kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{": "}{.metadata.annotations.flannel\.alpha\.coreos\.com/backend-data}{"\n"}{end}'`
  • Check the Flannel version running on your nodes with commands like `flannel --version` or by inspecting the container image tags if Flannel runs as a pod.

If you find nodes with the vulnerable Flannel version and the Extension backend enabled, and the annotation contains suspicious or unexpected data, this indicates potential exposure.

Mitigation Strategies

The primary mitigation is to upgrade Flannel to version v0.28.2 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, switch the Flannel backend from the vulnerable Extension backend to a safe alternative such as vxlan or wireguard.

Restrict permissions to modify Kubernetes Node annotations to trusted administrators only, as the vulnerability requires the ability to set these annotations.

Monitor and audit changes to Node annotations to detect any unauthorized modifications.

Compliance Impact

The vulnerability allows an attacker with the ability to modify Kubernetes Node annotations to execute arbitrary commands with root privileges on every Flannel node in the cluster. This can lead to a high impact on confidentiality, integrity, and availability of the affected systems.

Such a compromise could potentially result in unauthorized access to sensitive data or disruption of services, which may violate compliance requirements under standards like GDPR or HIPAA that mandate protection of data confidentiality and system integrity.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32241. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart