CVE-2026-44543
Analyzed Analyzed - Analysis Complete
Privilege Escalation in Rancher Local Path Provisioner

Publication date: 2026-05-28

Last updated on: 2026-06-08

Assigner: GitHub, Inc.

Description
Local Path Provisioner provides a way for the Kubernetes users to utilize the local storage in each node. Prior to 0.0.36, a malicious user with permission to edit the local-path-config ConfigMap in the local-path-storage namespace can manipulate the helperPod.yaml template used by rancher/local-path-provisioner. The helperPod.yaml template is loaded by the provisioner and used to create HelperPods during PVC provisioning and cleanup operations. However, the template is not sufficiently validated before use. Security-sensitive fields such as securityContext.privileged, hostPath volumes, and Linux capabilities can be injected into the template. When a PVC operation triggers HelperPod creation, the provisioner creates the HelperPod using the attacker-controlled template. This can result in a privileged pod running on the target node with the host root filesystem mounted. This may allow the attacker to access sensitive host files, read ServiceAccount tokens from other pods on the same node, access other tenants' local-path volume data, or modify files on the host node. This vulnerability is fixed in 0.0.36.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-08
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-44543
EUVD
EUVD-2026-32954
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
suse local_path_provisioner to 0.0.36 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to create a privileged pod with access to the host root filesystem, potentially leading to unauthorized access to sensitive host files, ServiceAccount tokens, and other tenants' data. Such unauthorized access and potential data exposure can compromise confidentiality and integrity of sensitive information.

As a result, organizations using affected versions of the local-path-provisioner may face challenges in maintaining compliance with data protection standards and regulations such as GDPR and HIPAA, which require strict controls to protect sensitive data from unauthorized access and modification.

Mitigations such as upgrading to patched versions, restricting write access to the ConfigMap, or enabling Kubernetes Pod Security Admission policies are necessary to reduce the risk and help maintain compliance.

Executive Summary

CVE-2026-44543 is a vulnerability in the rancher/local-path-provisioner project affecting versions prior to 0.0.36. It involves a HelperPod Template Injection flaw where a malicious user with permission to edit the local-path-config ConfigMap in the local-path-storage namespace can manipulate the helperPod.yaml template.

This template is used by the provisioner to create HelperPods during Persistent Volume Claim (PVC) provisioning and cleanup operations. Because the template is not sufficiently validated before use, an attacker can inject security-sensitive fields such as privileged security contexts, hostPath volumes, and Linux capabilities.

Exploiting this, the attacker can cause the provisioner to create a privileged HelperPod with the host root filesystem mounted, potentially leading to unauthorized access to sensitive host files, ServiceAccount tokens from other pods on the same node, other tenants' local-path volume data, or modification of files on the host node.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive host files and data, exposure of ServiceAccount tokens from other pods on the same node, and access to other tenants' local-path volume data.

Additionally, an attacker could modify files on the host node, potentially compromising the integrity of the system.

Because the exploit allows creation of privileged pods with host root filesystem access, it poses a high security risk and can lead to significant breaches in confidentiality and integrity.

Detection Guidance

This vulnerability involves manipulation of the local-path-config ConfigMap in the local-path-storage namespace to inject malicious fields into the helperPod.yaml template used by the local-path-provisioner.

To detect this vulnerability on your system, you should inspect the local-path-config ConfigMap for unauthorized or suspicious modifications, especially looking for injected security-sensitive fields such as privileged securityContext, hostPath volumes, or Linux capabilities.

  • Use kubectl to check the contents of the ConfigMap: kubectl -n local-path-storage get configmap local-path-config -o yaml
  • Look for unexpected fields in the helperPod.yaml template within the ConfigMap output, such as securityContext.privileged: true, hostPath volume mounts, or added Linux capabilities.
  • Check for the version of the local-path-provisioner to ensure it is 0.0.36 or later: kubectl -n local-path-storage get deployment local-path-provisioner -o yaml | grep image
Mitigation Strategies

The primary mitigation is to upgrade the local-path-provisioner to version 0.0.36 or later, where the vulnerability is fixed by validating and rejecting unsafe fields in the helperPod.yaml template.

Until you can upgrade, you can apply temporary mitigations to reduce risk:

  • Restrict write access to the local-path-config ConfigMap to trusted users only.
  • Mark the local-path-config ConfigMap as immutable to prevent modifications.
  • Enable Kubernetes Pod Security Admission with baseline policies for the local-path-storage namespace to limit the creation of privileged pods.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44543. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart