DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32241: CVE-2026-32241: Command Injection in Flannel Experimental Extension Backend

#security #cve #cybersecurity

CVE-2026-32241: Command Injection in Flannel Experimental Extension Backend

Vulnerability ID: CVE-2026-32241
CVSS Score: 7.5
Published: 2026-03-27

Flannel versions prior to 0.28.2 contain a high-severity command injection vulnerability in the experimental Extension backend. Unsanitized Kubernetes Node annotations are passed directly to a system shell, permitting an attacker with node modification privileges to execute arbitrary commands with root permissions on the host.

TL;DR

The Flannel experimental Extension backend evaluates unsanitized node annotation data through a shell wrapper. Attackers with RBAC permissions to modify Node objects can inject shell commands, achieving root-level execution on the Kubernetes node.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-77
  • Attack Vector: Network
  • Privileges Required: Low (Node Annotation Access)
  • CVSS v3.1 Score: 7.5 (High)
  • Exploit Status: Unauthenticated RCE (Host Root)
  • Patched Version: v0.28.2

Affected Systems

  • flannel-io/flannel < 0.28.2
  • flannel: < v0.28.2 (Fixed in: v0.28.2)

Code Analysis

Commit: 08bc9a4

Fix command injection by removing shell wrapper and using os/exec with safe variable expansion.

Mitigation Strategies

  • Upgrade Flannel daemonset to version 0.28.2 or later.
  • Switch Flannel configuration from the experimental 'Extension' backend to a stable backend like 'vxlan' or 'wireguard'.
  • Restrict Kubernetes RBAC permissions to prevent unauthorized modification of Node annotations.
  • Monitor Kubernetes audit logs for unexpected modifications to the 'flannel.alpha.coreos.com/backend-data' annotation.

Remediation Steps:

  1. Review the current Flannel configuration map (kube-flannel-cfg) in the kube-system namespace to determine if the Extension backend is in use.
  2. If the Extension backend is required, update the Flannel manifest image references to use v0.28.2.
  3. Apply the updated manifest using kubectl apply -f kube-flannel.yml.
  4. Verify that the Flannel daemonset pods successfully restart and attain a 'Running' state.
  5. If the Extension backend is not required, modify the net-conf.json in the configuration map to use "Type": "vxlan" and restart the Flannel pods.

References

Read the full report for CVE-2026-32241 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)