Weave Net Pods running in host PID namespace can be used to escalate other Kubernetes vulnerabilities
Description
Weave Net before 2.8.0 runs its Kubernetes pod with hostPID: true, allowing an attacker who compromises the pod to take over the entire cluster host.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Weave Net before 2.8.0 runs its Kubernetes pod with hostPID: true, allowing an attacker who compromises the pod to take over the entire cluster host.
Vulnerability
Weave Net is an open-source virtual networking solution for Docker containers that connects them across multiple hosts. In Kubernetes deployments before version 2.8.0, the DaemonSet manifest that runs a Weave Net pod on every node sets hostPID: true and privileged: true, along with excessive host volume mounts [2]. The hostPID setting is unnecessary for the pod's intended network management functions and grants the container the ability to see all host processes and write anywhere in the host filesystem [1][2].
Exploitation
An attacker must first achieve code execution inside the Weave Net pod through another vulnerability (e.g., a bug in a Kubernetes component) or a cluster misconfiguration. No such companion vulnerability was known at the time of disclosure, and there were no reported instances of exploitation [2]. Once inside the pod, the attacker can leverage the existing hostPID: true and privileged access—along with mounted host volumes—to escape the container and gain full control over the underlying node [2].
Impact
A successful attacker can take over any host in the Kubernetes cluster, achieving complete compromise of the node's operating system. This enables arbitrary code execution at the host level, full access to all containers on that host, and the ability to disrupt or observe cluster-wide network operations [2]. The privilege escalation is from container-level access to root-level host access.
Mitigation
Weave Net 2.8.0, released on the same day as the advisory (2021-01-20), removes hostPID: true and moves CNI plugin installation to an init container, which reduces the attack surface [1][2]. Users who cannot update immediately can edit the hostPID line in their existing DaemonSet manifest from true to false, arrange an alternative method to install CNI plugins (e.g., Ansible), and remove the unnecessary host volume mounts from the manifest [2]. The project later released 2.8.1 to fix a regression, but the security improvements remain [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<2.8.0+ 1 more
- (no CPE)range: <2.8.0
- (no CPE)range: < 2.8.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Weave Net Kubernetes DaemonSet manifest unnecessarily set hostPID: true and privileged: true, granting the pod excessive host-level access."
Attack vector
An attacker must first exploit a separate vulnerability or misconfiguration to execute code inside the Weave Net pod. Once code execution is achieved inside the pod, the `hostPID: true` setting allows the attacker to access all processes on the host, and the `privileged: true` setting grants the ability to write anywhere in the host's root filesystem. This combination enables full host takeover from within the compromised pod. No known exploit of this vector existed at the time of disclosure [ref_id=1].
Affected code
The vulnerability is in the Weave Net DaemonSet manifest for Kubernetes deployments. The manifest set `hostPID: true` and `privileged: true` on the Weave Net pod, granting unnecessary host-level access. The fix in version 2.8.0 removes the `hostPID` setting and moves CNI plugin installation to an init container, reducing the pod's attack surface.
What the fix does
The fix in version 2.8.0 removes `hostPID: true` from the DaemonSet manifest, preventing the Weave Net pod from accessing host processes. CNI plugin installation is moved to an init container, which runs with reduced privileges and terminates after setup. This eliminates the unnecessary host-level access that could be leveraged in a container escape scenario [ref_id=1].
Preconditions
- authThe attacker must already have code execution inside the Weave Net pod via another vulnerability or misconfiguration
- configThe Weave Net DaemonSet must be running with the default manifest that sets hostPID: true and privileged: true
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/weaveworks/weave/blob/master/CHANGELOG.mdmitrex_refsource_MISC
- github.com/weaveworks/weave/commit/a0ac81b3b4cae6d0dcaf3732fd91cedefc89f720mitrex_refsource_MISC
- github.com/weaveworks/weave/pull/3876mitrex_refsource_MISC
- github.com/weaveworks/weave/security/advisories/GHSA-pg3p-v8c6-c6h3mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.