CVE-2026-32254
Received Received - Intake
Improper Validation of ExternalIPs in Kube-router Proxy Module

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
Kube-router is a turnkey solution for Kubernetes networking. Prior to version 2.8.0, Kube-router's proxy module does not validate externalIPs or loadBalancer IPs before programming them into the node's network configuration. Version 2.8.0 contains a patch for the issue. Available workarounds include enabling DenyServiceExternalIPs feature gate, deploying admission policy, restricting service creation RBAC, monitoring service changes, and applying BGP prefix filtering.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32254
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kube-router kube-router to 2.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32254 is a vulnerability in kube-router versions prior to 2.8.0 where the proxy module does not validate externalIPs or loadBalancer IPs before programming them into the node's network configuration."}, {'type': 'paragraph', 'content': 'This means that namespace-scoped users with permissions to create or modify Services can bind arbitrary IP addresses cluster-wide without restriction. The proxy module blindly trusts and copies these IPs into network interfaces and IPVS virtual services, ignoring configured IP range restrictions.'}, {'type': 'paragraph', 'content': 'This lack of validation allows attackers to hijack traffic by binding unauthorized virtual IPs (VIPs), cause denial of service attacks on critical services like cluster DNS by replacing legitimate endpoints with attacker-controlled pods, and bypass IP range restrictions intended to secure the cluster.'}, {'type': 'paragraph', 'content': 'The vulnerability is addressed in kube-router version 2.8.0 by introducing strict validation of externalIPs and loadBalancer IPs against user-configured CIDR ranges, rejecting IPs outside these ranges or conflicting with cluster IPs.'}] [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing attackers with limited namespace permissions to bind arbitrary IP addresses cluster-wide, potentially hijacking network traffic.

  • Traffic Hijacking: Attackers can redirect traffic intended for legitimate services to attacker-controlled pods by binding unauthorized virtual IPs.
  • Denial of Service (DoS): Critical services such as cluster DNS (e.g., kube-dns) can be disrupted by replacing their endpoints with malicious pods or blackholing traffic, causing cluster-wide service outages.
  • Bypassing IP Range Restrictions: The vulnerability allows IPs outside configured service external IP ranges to be used, undermining network security policies.

Overall, the impact includes high availability disruption, low integrity compromise through traffic redirection, but no direct confidentiality loss.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring and auditing Service resource changes, especially those involving externalIPs and loadBalancer IPs, to identify unauthorized or unexpected IP assignments.'}, {'type': 'paragraph', 'content': 'Suggested detection methods include:'}, {'type': 'list_item', 'content': 'Monitor Kubernetes audit logs for Service create, update, or delete operations that include externalIPs or loadBalancer IPs.'}, {'type': 'list_item', 'content': 'Use kubectl commands to list Services and inspect their externalIPs and loadBalancer IPs for any IPs outside the expected CIDR ranges.'}, {'type': 'list_item', 'content': 'Example command to list Services with externalIPs:'}, {'type': 'paragraph', 'content': 'kubectl get svc --all-namespaces -o jsonpath=\'{range .items[*]}{.metadata.namespace}{"/"}{.metadata.name}{": "}{.spec.externalIPs}{"\\n"}{end}\''}, {'type': 'list_item', 'content': 'Check node network interfaces (such as kube-dummy-if) and IPVS virtual services for unexpected IP bindings that could indicate exploitation.'}, {'type': 'list_item', 'content': 'Example command to check IPVS virtual services:'}, {'type': 'paragraph', 'content': 'ipvsadm -L -n'}, {'type': 'list_item', 'content': 'Inspect ipset entries related to kube-router (e.g., kube-router-svip) for unauthorized IPs.'}] [2, 1, 3]

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade kube-router to version 2.8.0 or later, which contains a patch that enforces strict validation of externalIPs and loadBalancer IPs.
  • Enable the `--strict-external-ip-validation` flag (enabled by default in v2.8.0) to ensure only IPs within configured CIDR ranges are accepted.
  • Configure the `--service-external-ip-range` and `--loadbalancer-ip-range` flags with appropriate CIDR ranges to define allowed IPs.
  • If immediate upgrade is not possible, enable the Kubernetes API server feature gate `DenyServiceExternalIPs=true` to block external IPs at the API level.
  • Deploy admission policies (e.g., Kyverno, OPA, ValidatingAdmissionPolicy) to restrict creation or modification of Services with externalIPs.
  • Restrict RBAC permissions to prevent namespace-scoped users from creating or modifying Services with externalIPs.
  • Monitor Service resource changes via Kubernetes audit logs to detect suspicious activity.
  • Apply BGP prefix filtering if using BGP to restrict advertised IP ranges.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32254. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart