CVE-2026-29954
Published: 30 March 2026
Summary
CVE-2026-29954 is a high-severity Argument Injection (CWE-88) vulnerability in Cloudark Kubeplus. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of the chartURL input beyond mere URL-encoding to block SSRF by restricting target addresses and neutralize command injection payloads in wget concatenation.
SI-2 ensures timely remediation of the SSRF and command injection flaws in KubePlus mutating webhook and kubeconfiggenerator components via patching.
SI-9 restricts chartURL inputs to approved hosts and formats, mitigating SSRF by preventing access to unauthorized internal or external targets.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF + wget argument injection (CWE-88/918) in ResourceComposition processing enables scope-changing privilege escalation (S:C) and high-impact credential/sensitive data access from an already-privileged position.
NVD Description
In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address. More critically, when kubeconfiggenerator uses wget to download charts,…
more
the chartURL is directly concatenated into the command, allowing attackers to inject wget's `--header` option to achieve arbitrary HTTP header injection.
Deeper analysisAI
CVE-2026-29954 is a vulnerability in KubePlus 4.1.4 affecting the mutating webhook and kubeconfiggenerator components. It manifests as a Server-Side Request Forgery (SSRF) when processing the chartURL field of ResourceComposition resources, where the input is only URL-encoded without validation of the target address. More severely, the kubeconfiggenerator directly concatenates the chartURL into a wget command for downloading charts, enabling attackers to inject the wget --header option and achieve arbitrary HTTP header injection. The issue maps to CWE-88 (improper neutralization of argument delimiters) and CWE-918 (SSRF).
Attackers with high privileges (PR:H), such as those with access to create or modify ResourceComposition resources, can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation has a high scope (S:C), granting high confidentiality impact (C:H) through SSRF and header injection, low integrity impact (I:L), and no availability impact (A:N), for an overall CVSS v3.1 score of 7.6.
Mitigation details are available in advisories at https://gist.github.com/b0b0haha/33baea60fd2a847f11f1fb02e43c64c0 and https://github.com/b0b0haha/CVE-2026-29954/blob/main/README.md.
Details
- CWE(s)