CVE-2026-32254
Improper Validation of ExternalIPs in Kube-router Proxy Module
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kube-router | kube-router | to 2.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-32254 is a vulnerability in kube-router versions prior to 2.8.0 where the proxy module does not validate externalIPs or loadBalancer IPs before programming them into the node's network configuration."}, {'type': 'paragraph', 'content': 'This means that namespace-scoped users with permissions to create or modify Services can bind arbitrary IP addresses cluster-wide without restriction. The proxy module blindly trusts and copies these IPs into network interfaces and IPVS virtual services, ignoring configured IP range restrictions.'}, {'type': 'paragraph', 'content': 'This lack of validation allows attackers to hijack traffic by binding unauthorized virtual IPs (VIPs), cause denial of service attacks on critical services like cluster DNS by replacing legitimate endpoints with attacker-controlled pods, and bypass IP range restrictions intended to secure the cluster.'}, {'type': 'paragraph', 'content': 'The vulnerability is addressed in kube-router version 2.8.0 by introducing strict validation of externalIPs and loadBalancer IPs against user-configured CIDR ranges, rejecting IPs outside these ranges or conflicting with cluster IPs.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers with limited namespace permissions to bind arbitrary IP addresses cluster-wide, potentially hijacking network traffic.
- Traffic Hijacking: Attackers can redirect traffic intended for legitimate services to attacker-controlled pods by binding unauthorized virtual IPs.
- Denial of Service (DoS): Critical services such as cluster DNS (e.g., kube-dns) can be disrupted by replacing their endpoints with malicious pods or blackholing traffic, causing cluster-wide service outages.
- Bypassing IP Range Restrictions: The vulnerability allows IPs outside configured service external IP ranges to be used, undermining network security policies.
Overall, the impact includes high availability disruption, low integrity compromise through traffic redirection, but no direct confidentiality loss.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring and auditing Service resource changes, especially those involving externalIPs and loadBalancer IPs, to identify unauthorized or unexpected IP assignments.'}, {'type': 'paragraph', 'content': 'Suggested detection methods include:'}, {'type': 'list_item', 'content': 'Monitor Kubernetes audit logs for Service create, update, or delete operations that include externalIPs or loadBalancer IPs.'}, {'type': 'list_item', 'content': 'Use kubectl commands to list Services and inspect their externalIPs and loadBalancer IPs for any IPs outside the expected CIDR ranges.'}, {'type': 'list_item', 'content': 'Example command to list Services with externalIPs:'}, {'type': 'paragraph', 'content': 'kubectl get svc --all-namespaces -o jsonpath=\'{range .items[*]}{.metadata.namespace}{"/"}{.metadata.name}{": "}{.spec.externalIPs}{"\\n"}{end}\''}, {'type': 'list_item', 'content': 'Check node network interfaces (such as kube-dummy-if) and IPVS virtual services for unexpected IP bindings that could indicate exploitation.'}, {'type': 'list_item', 'content': 'Example command to check IPVS virtual services:'}, {'type': 'paragraph', 'content': 'ipvsadm -L -n'}, {'type': 'list_item', 'content': 'Inspect ipset entries related to kube-router (e.g., kube-router-svip) for unauthorized IPs.'}] [2, 1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade kube-router to version 2.8.0 or later, which contains a patch that enforces strict validation of externalIPs and loadBalancer IPs.
- Enable the `--strict-external-ip-validation` flag (enabled by default in v2.8.0) to ensure only IPs within configured CIDR ranges are accepted.
- Configure the `--service-external-ip-range` and `--loadbalancer-ip-range` flags with appropriate CIDR ranges to define allowed IPs.
- If immediate upgrade is not possible, enable the Kubernetes API server feature gate `DenyServiceExternalIPs=true` to block external IPs at the API level.
- Deploy admission policies (e.g., Kyverno, OPA, ValidatingAdmissionPolicy) to restrict creation or modification of Services with externalIPs.
- Restrict RBAC permissions to prevent namespace-scoped users from creating or modifying Services with externalIPs.
- Monitor Service resource changes via Kubernetes audit logs to detect suspicious activity.
- Apply BGP prefix filtering if using BGP to restrict advertised IP ranges.