Privilege escalation to cluster admin on multi-tenant environments
Description
kustomize-controller is a Kubernetes operator, specialized in running continuous delivery pipelines for infrastructure and workloads defined with Kubernetes manifests and assembled with Kustomize. Users that can create Kubernetes Secrets, Service Accounts and Flux Kustomization objects, could execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. This can be used to run kubectl commands under the Service Account of kustomize-controller, thus allowing an authenticated Kubernetes user to gain cluster admin privileges. In affected versions multitenant environments where non-admin users have permissions to create Flux Kustomization objects are affected by this issue. This vulnerability was fixed in kustomize-controller v0.15.0 (included in flux2 v0.18.0) released on 2021-10-08. Starting with v0.15, the kustomize-controller no longer executes shell commands on the container OS and the kubectl binary has been removed from the container image. To prevent the creation of Kubernetes Service Accounts with secrets in namespaces owned by tenants, a Kubernetes validation webhook such as Gatekeeper OPA or Kyverno can be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
kustomize-controller command injection allows authenticated users with limited permissions to gain cluster admin privileges by embedding shell commands in a Kubernetes Secret.
Vulnerability
In kustomize-controller versions prior to v0.15.0 (included in flux2 prior to v0.18.0), a command injection vulnerability exists when the controller reconciles a Flux Kustomization object that references a Service Account with an associated Kubernetes Secret containing a shell command [1][2]. The controller executes commands embedded in the token field of the Secret, which are run inside the container. This affects multitenant environments where non-admin users can create Service Accounts, Secrets, and Kustomization objects [2].
Exploitation
An attacker who can create Kubernetes Secrets, Service Accounts, and Flux Kustomization objects can exploit this by: (1) creating a Secret with a shell command in the token field, e.g., kubectl create secret generic exploit-token --from-literal="token= || kubectl api-versions", (2) creating a Service Account that references that Secret, and (3) creating a Kustomization that uses that Service Account [2]. When the kustomize-controller reconciles the Kustomization, it executes the embedded shell command as a side effect of processing the Service Account's secrets [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary shell commands, including kubectl commands, under the Service Account of kustomize-controller. This can lead to privilege escalation to cluster admin rights, as kustomize-controller typically operates with high privileges [1][2]. The attacker gains full control over the cluster, enabling actions such as deploying unauthorized resources, accessing secrets, or modifying system components.
Mitigation
This vulnerability is fixed in kustomize-controller v0.15.0 (included in flux2 v0.18.0), released on 2021-10-08 [1][2]. The fix removes the kubectl binary from the container image and stops executing shell commands on the container OS. For environments that cannot immediately upgrade, administrators can use Kubernetes validating webhooks such as Gatekeeper OPA or Kyverno to prevent creation of Service Accounts with secrets in non-admin namespaces [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/fluxcd/kustomize-controllerGo | < 0.15.0 | 0.15.0 |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/flux-kustomize-controllerpkg:apk/chainguard/flux-kustomize-controller-bitnami-compatpkg:apk/chainguard/flux-kustomize-controller-iamguarded-compatpkg:apk/wolfi/flux-kustomize-controllerpkg:apk/wolfi/flux-kustomize-controller-bitnami-compatpkg:apk/wolfi/flux-kustomize-controller-iamguarded-compatpkg:bitnami/kustomizepkg:golang/github.com/fluxcd/kustomize-controller
< 0+ 7 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.15.0
- (no CPE)range: < 0.15.0
- fluxcd/kustomize-controllerv5Range: < 0.15.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-35rf-v2jv-gfg7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41254ghsaADVISORY
- github.com/fluxcd/kustomize-controller/security/advisories/GHSA-35rf-v2jv-gfg7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.