CVE-2026-24005
Published: 25 February 2026
Summary
CVE-2026-24005 is a uncategorised-severity SSRF (CWE-918) vulnerability in Openkruise Kruise. Its CVSS base score is 0.0.
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in PodProbeMarker enables arbitrary Host probes from node network namespace, directly facilitating port scanning and network service discovery on the node and reachable networks.
NVD Description
Kruise provides automated management of large-scale applications on Kubernetes. Prior to versions 1.8.3 and 1.7.5, PodProbeMarker allows defining custom probes with TCPSocket or HTTPGet handlers. The webhook validation does not restrict the Host field in these probe configurations. Since kruise-daemon…
more
runs with hostNetwork=true, it executes probes from the node network namespace. An attacker with PodProbeMarker creation permission can specify arbitrary Host values to trigger SSRF from the node, perform port scanning, and receive response feedback through NodePodProbe status messages. Versions 1.8.3 and 1.7.5 patch the issue.
Deeper analysisAI
CVE-2026-24005 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, in OpenKruise (Kruise), an automated management tool for large-scale applications on Kubernetes. It affects versions prior to 1.8.3 and 1.7.5, specifically in the PodProbeMarker feature that allows defining custom probes with TCPSocket or HTTPGet handlers. The webhook validation does not restrict the Host field in these probe configurations. The kruise-daemon component runs with hostNetwork=true, executing probes from the node's network namespace. The vulnerability has a CVSS v3.1 base score of 0.0 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N).
An attacker with permission to create PodProbeMarker resources can exploit this by specifying arbitrary Host values in probe configurations. This triggers SSRF requests originating from the Kubernetes node itself, enabling port scanning on the node or other networks accessible to it. Attackers can receive feedback on probe success or failure through NodePodProbe status messages.
Kruise versions 1.8.3 and 1.7.5 address the issue with a patch that restricts the Host field in webhook validation. Security practitioners should upgrade to these versions. Additional details are available in the GitHub security advisory (GHSA-9fj4-3849-rv9g), the fixing commit (94364b76adf3e8a1749a31afe809a163bed29613), and release notes for v1.7.5 and v1.8.3.
Details
- CWE(s)