Executive Summary

The vulnerability in CVE-2026-47190 concerns the IPAM controller in the metal3-io/ip-address-manager project. Prior to certain patched versions, the controller's ClusterRole was granted full CRUD permissions on Kubernetes core/v1 Secrets, even though the controller does not normally access Secrets during operation.

If the controller pod is compromised, for example through a supply chain attack or container escape, an attacker could exploit these excessive permissions to read, modify, or delete Secrets within the namespace. This could lead to exposure of sensitive data such as credentials.

The issue was addressed by removing the unnecessary RBAC permissions for Secrets, thereby reducing the attack surface and improving security.

Useful 0 Not Useful 0

Impact Analysis

If the IPAM controller pod is compromised, an attacker could leverage the excessive permissions to access Kubernetes Secrets in the namespace.

• Read sensitive information such as credentials stored in Secrets.
• Modify or delete Secrets, potentially disrupting services or causing data loss.

This could lead to unauthorized access to sensitive data and potential security breaches.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability involves excessive permissions granted to the IPAM controller on Kubernetes Secrets, which can lead to unauthorized access and potential exposure of sensitive data such as credentials if the controller pod is compromised.

Such unauthorized exposure of sensitive data can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive information and protection against data breaches.

By granting unnecessary full CRUD permissions on Secrets, the vulnerability increases the risk of confidentiality breaches, which could lead to non-compliance with these regulations.

The patch removing these excessive permissions helps reduce the attack surface and supports better adherence to security best practices required by these standards.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting the RBAC permissions granted to the IPAM controller's ClusterRole in your Kubernetes cluster. Specifically, check if the ClusterRole for the metal3-ipam-controller-manager includes full CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets, which is unnecessary and risky.

You can use kubectl commands to review the ClusterRole permissions related to Secrets.

• kubectl get clusterrole metal3-ipam-controller-manager-role -o yaml | grep -A 10 'resources:.*secrets'
• kubectl describe clusterrole metal3-ipam-controller-manager-role | grep -A 10 'Secrets'

If you see permissions such as create, delete, get, list, patch, update, or watch on Secrets, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the IPAM controller to one of the patched versions: 1.11.7, 1.12.4, or 1.13.0, where the excessive permissions on Secrets have been removed.

If upgrading immediately is not possible, you can manually remove the Secrets resource entry from the metal3-ipam-controller-manager-role ClusterRole to eliminate unnecessary permissions.

These steps reduce the attack surface by preventing the controller from having unnecessary access to Secrets, thereby protecting sensitive data from potential compromise.

Useful 0 Not Useful 0