CVE-2026-32254
Published: 18 March 2026
Summary
CVE-2026-32254 is a high-severity Improper Access Control (CWE-284) vulnerability in Kube-Router Kube-Router. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Denial of Service (T1498); ranked at the 17.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of externalIPs and loadBalancer IPs prior to programming them into the node's network configuration, addressing the core improper access control flaw.
Enforces least privilege by restricting RBAC permissions for creating Kubernetes Services with externalIPs or loadBalancer IPs, blocking low-privileged exploitation.
Mandates timely flaw remediation through patching Kube-router to version 2.8.0, which implements the necessary IP validation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables direct manipulation of node network routes/IPs via unvalidated Service specs, directly facilitating network-level DoS (disruptions) and traffic redirection/hijacking (improper routing for MITM).
NVD Description
Kube-router is a turnkey solution for Kubernetes networking. Prior to version 2.8.0, Kube-router's proxy module does not validate externalIPs or loadBalancer IPs before programming them into the node's network configuration. Version 2.8.0 contains a patch for the issue. Available workarounds…
more
include enabling DenyServiceExternalIPs feature gate, deploying admission policy, restricting service creation RBAC, monitoring service changes, and applying BGP prefix filtering.
Deeper analysisAI
CVE-2026-32254 is a vulnerability in Kube-router, a turnkey solution for Kubernetes networking, affecting versions prior to 2.8.0. The issue lies in the proxy module, which does not validate externalIPs or loadBalancer IPs before programming them into the node's network configuration. Classified as CWE-284 (Improper Access Control), it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H) and was published on 2026-03-18.
An attacker requires low privileges, such as the ability to create Kubernetes Services, along with network access to the cluster. Exploitation involves specifying unvalidated externalIPs or loadBalancer IPs in a Service, causing Kube-router to apply them directly to the node's network configuration. This results in low integrity impact (I:L) and high availability impact (A:H), potentially leading to network disruptions or improper routing on affected nodes.
Kube-router version 2.8.0 patches the vulnerability, as detailed in the associated GitHub commit, release notes, and security advisory. Recommended workarounds include enabling the DenyServiceExternalIPs feature gate, deploying admission policies, restricting RBAC permissions for Service creation, monitoring Service changes, and applying BGP prefix filtering.
Details
- CWE(s)