Cyber Resilience

CVE-2026-24005

LowPublic PoC

Published: 25 February 2026

Published
25 February 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 0.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N
EPSS Score 0.0005 16.9th percentile
Risk Priority 0 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24005 is a uncategorised-severity SSRF (CWE-918) vulnerability in Openkruise Kruise. Its CVSS base score is 0.0.

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-24005 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, in OpenKruise (Kruise), an automated management tool for large-scale applications on Kubernetes. It affects versions prior to 1.8.3 and 1.7.5, specifically in the PodProbeMarker feature that allows defining custom probes with TCPSocket or HTTPGet handlers. The webhook validation does not restrict the Host field in these probe configurations. The kruise-daemon component runs with hostNetwork=true, executing probes from the node's network namespace. The vulnerability has a CVSS v3.1 base score of 0.0 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N).

An attacker with permission to create PodProbeMarker resources can exploit this by specifying arbitrary Host values in probe configurations. This triggers SSRF requests originating from the Kubernetes node itself, enabling port scanning on the node or other networks accessible to it. Attackers can receive feedback on probe success or failure through NodePodProbe status messages.

Kruise versions 1.8.3 and 1.7.5 address the issue with a patch that restricts the Host field in webhook validation. Security practitioners should upgrade to these versions. Additional details are available in the GitHub security advisory (GHSA-9fj4-3849-rv9g), the fixing commit (94364b76adf3e8a1749a31afe809a163bed29613), and release notes for v1.7.5 and v1.8.3.

EU & UK References

Vulnerability details

Kruise provides automated management of large-scale applications on Kubernetes. Prior to versions 1.8.3 and 1.7.5, PodProbeMarker allows defining custom probes with TCPSocket or HTTPGet handlers. The webhook validation does not restrict the Host field in these probe configurations. Since kruise-daemon…

more

runs with hostNetwork=true, it executes probes from the node network namespace. An attacker with PodProbeMarker creation permission can specify arbitrary Host values to trigger SSRF from the node, perform port scanning, and receive response feedback through NodePodProbe status messages. Versions 1.8.3 and 1.7.5 patch the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF in PodProbeMarker enables arbitrary Host probes from node network namespace, directly facilitating port scanning and network service discovery on the node and reachable networks.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71258Shared CWE-918
CVE-2024-13924Shared CWE-918
CVE-2026-42860Shared CWE-918
CVE-2025-25785Shared CWE-918
CVE-2024-53705Shared CWE-918
CVE-2026-5418Shared CWE-918
CVE-2026-34428Shared CWE-918
CVE-2026-45082Shared CWE-918
CVE-2026-7065Shared CWE-918
CVE-2026-42141Shared CWE-918

Affected Assets

openkruise
kruise
≤ 1.7.5 · 1.8.0 — 1.8.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the Host field in PodProbeMarker TCPSocket/HTTPGet probes to block arbitrary external targets.

prevent

Restricts PodProbeMarker creation permission to only trusted service accounts, limiting who can supply malicious Host values.

prevent

Enforces admission-control policy that rejects PodProbeMarker objects containing disallowed Host values before the kruise-daemon executes them.

References