CVE-2026-24005
Published: 25 February 2026
Summary
CVE-2026-24005 is a uncategorised-severity SSRF (CWE-918) vulnerability in Openkruise Kruise. Its CVSS base score is 0.0.
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-24005 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, in OpenKruise (Kruise), an automated management tool for large-scale applications on Kubernetes. It affects versions prior to 1.8.3 and 1.7.5, specifically in the PodProbeMarker feature that allows defining custom probes with TCPSocket or HTTPGet handlers. The webhook validation does not restrict the Host field in these probe configurations. The kruise-daemon component runs with hostNetwork=true, executing probes from the node's network namespace. The vulnerability has a CVSS v3.1 base score of 0.0 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N).
An attacker with permission to create PodProbeMarker resources can exploit this by specifying arbitrary Host values in probe configurations. This triggers SSRF requests originating from the Kubernetes node itself, enabling port scanning on the node or other networks accessible to it. Attackers can receive feedback on probe success or failure through NodePodProbe status messages.
Kruise versions 1.8.3 and 1.7.5 address the issue with a patch that restricts the Host field in webhook validation. Security practitioners should upgrade to these versions. Additional details are available in the GitHub security advisory (GHSA-9fj4-3849-rv9g), the fixing commit (94364b76adf3e8a1749a31afe809a163bed29613), and release notes for v1.7.5 and v1.8.3.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8710
Vulnerability details
Kruise provides automated management of large-scale applications on Kubernetes. Prior to versions 1.8.3 and 1.7.5, PodProbeMarker allows defining custom probes with TCPSocket or HTTPGet handlers. The webhook validation does not restrict the Host field in these probe configurations. Since kruise-daemon…
more
runs with hostNetwork=true, it executes probes from the node network namespace. An attacker with PodProbeMarker creation permission can specify arbitrary Host values to trigger SSRF from the node, perform port scanning, and receive response feedback through NodePodProbe status messages. Versions 1.8.3 and 1.7.5 patch the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in PodProbeMarker enables arbitrary Host probes from node network namespace, directly facilitating port scanning and network service discovery on the node and reachable networks.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the Host field in PodProbeMarker TCPSocket/HTTPGet probes to block arbitrary external targets.
Restricts PodProbeMarker creation permission to only trusted service accounts, limiting who can supply malicious Host values.
Enforces admission-control policy that rejects PodProbeMarker objects containing disallowed Host values before the kruise-daemon executes them.