CVE-2026-29955
Command Injection in KubePlus kubeconfiggenerator via Unsanitized Input
Publication date: 2026-04-13
Last updated on: 2026-05-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cloudark | kubeplus | to 4.2.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29955 is a critical command injection vulnerability in the kubeconfiggenerator component of KubePlus (version 4.2.0 and earlier). It exists in the `/registercrd` HTTP endpoint where the `chartName` parameter is directly concatenated into shell commands executed with Python's subprocess.Popen() using `shell=True` without any sanitization or validation.
Because of this unsafe coding practice, an attacker can inject arbitrary shell commands by crafting a malicious `chartName` parameter value using shell command substitution syntax like `$(command)`.
This allows remote attackers with network access to the HTTP interface to execute arbitrary commands as root inside the container running kubeconfiggenerator.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Remote Code Execution (RCE) allowing arbitrary commands to be run as root inside the container.
- Theft of sensitive credentials such as Kubernetes cluster-admin ServiceAccount tokens.
- Full cluster takeover by using stolen tokens to access and control the Kubernetes API with cluster-admin privileges.
- Lateral movement across all namespaces and resources within the Kubernetes cluster.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the kubeconfiggenerator container logs for abnormal command execution patterns, especially commands involving shell command substitution syntax such as $(command).
Additionally, you can test for exploitation by sending crafted HTTP requests to the `/registercrd` endpoint with malicious `chartName` parameters that attempt to execute simple commands, such as creating a file inside the container.
- Example command to test command injection by creating a file `/tmp/pwned.txt` inside the container: curl -s 'http://localhost:5005/registercrd?kind=Test&version=v1&group=test.io&plural=tests&chartURL=https://example.com/test.tgz&chartName=$(id>/tmp/pwned.txt)'
- Verify the execution by checking for the presence of `/tmp/pwned.txt` inside the container.
- Another test command to check token theft possibility: curl -s 'http://localhost:5005/registercrd?kind=Test2&version=v1&group=test2.io&plural=test2s&chartURL=https://example.com/test.tgz&chartName=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token>/tmp/stolen-token.txt)'
- Then verify the stolen token file `/tmp/stolen-token.txt` inside the container.
What immediate steps should I take to mitigate this vulnerability?
Since no official patch is currently available, immediate mitigation steps include restricting network access to the vulnerable kubeconfighelper service and reducing privileges of the associated ServiceAccount.
- Use Kubernetes NetworkPolicy to restrict access to the kubeconfighelper HTTP service (default port 5005) to trusted sources only.
- Reduce the privileges of the `kubeplus-saas-provider` ServiceAccount to limit the potential impact if exploited.
- Monitor the kubeconfiggenerator container logs for abnormal or suspicious command execution patterns that may indicate exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-29955 vulnerability enables attackers to execute arbitrary commands as root inside the kubeconfiggenerator container and steal cluster-admin ServiceAccount tokens, leading to full control over the Kubernetes cluster.
This level of unauthorized access and control can result in exposure, modification, or deletion of sensitive data stored or processed within the cluster.
Such data breaches and unauthorized access can violate compliance requirements of common standards and regulations like GDPR and HIPAA, which mandate strict controls over data confidentiality, integrity, and access.
Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to potential data breaches, unauthorized data access, and lack of adequate security controls.