Executive Summary

This vulnerability affects the OpenShift Router and involves Server-Side Request Forgery (SSRF) through FQDN-typed EndpointSlice objects.

An attacker who has write access to EndpointSlice can create a Service backed by an EndpointSlice with a Fully Qualified Domain Name (FQDN) that resolves to the cloud metadata IP address (169.254.169.254).

By creating a Route targeting this malicious Service, the OpenShift Router proxies requests to the cloud metadata endpoint, which leads to the disclosure of instance credentials and other sensitive metadata.

This attack bypasses previous security measures that only validated IP addresses and is not mitigated by IMDSv2 because the router's HAProxy runs as a hostNetwork process at Layer 7, allowing token exchange.

The attack requires the IngressController to use HostNetwork endpoint publishing, which is the default on bare metal or User-Provisioned Infrastructure (UPI) but not on cloud providers.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the unauthorized disclosure of instance credentials and other sensitive metadata from the cloud metadata service.

An attacker exploiting this flaw can gain access to sensitive information that could be used to further compromise the affected system or cloud environment.

Since the router proxies requests to the cloud metadata endpoint, it effectively allows an attacker to bypass security controls and retrieve confidential data.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring for creation of EndpointSlices with FQDNs that resolve to the cloud metadata IP address (169.254.169.254). Specifically, look for Services backed by FQDN EndpointSlices pointing to this IP, as well as Routes targeting these Services.

You can use commands to inspect EndpointSlices and Services in your OpenShift cluster to identify suspicious entries.

• kubectl get endpointslices -A -o json | jq '.items[] | select(.endpoints[].hostname | test("169.254.169.254"))'
• kubectl get services -A -o json | jq '.items[] | select(.spec.selector != null)'
• kubectl get routes -A -o wide | grep <suspicious-service-name>

Additionally, monitor network traffic for unexpected requests from the router to the cloud metadata endpoint (169.254.169.254).

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting write access to EndpointSlices to trusted users only, preventing attackers from creating malicious FQDN EndpointSlices.

Avoid using HostNetwork endpoint publishing for the IngressController where possible, as this is required for the attack to succeed and is the default only on bare metal or UPI installations.

Review and apply any vendor patches or updates addressing CVE-2026-42965 as soon as they become available.

Monitor and audit EndpointSlice and Service creation events to detect and block suspicious configurations.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized disclosure of instance credentials and sensitive metadata by exploiting the OpenShift Router. Such unauthorized access to sensitive information can lead to violations of data protection and privacy regulations like GDPR and HIPAA, which mandate strict controls over access to sensitive data and credentials.

By bypassing previous security measures and enabling Server-Side Request Forgery (SSRF) to cloud metadata endpoints, this flaw increases the risk of data breaches and unauthorized data exposure, potentially impacting compliance with standards that require confidentiality and integrity of sensitive information.

Useful 0 Not Useful 0