Clusternet has potential risk which can be leveraged to make a cluster-level privilege escalation
Description
Clusternet is a general-purpose system for controlling Kubernetes clusters across different environments. An issue in clusternet prior to version 0.15.2 can be leveraged to lead to a cluster-level privilege escalation. The clusternet has a deployment called cluster-hub inside the clusternet-system Kubernetes namespace, which runs on worker nodes randomly. The deployment has a service account called clusternet-hub, which has a cluster role called clusternet:hub via cluster role binding. The clusternet:hub cluster role has "*" verbs of "*.*" resources. Thus, if a malicious user can access the worker node which runs the clusternet, they can leverage the service account to do malicious actions to critical system resources. For example, the malicious user can leverage the service account to get ALL secrets in the entire cluster, resulting in cluster-level privilege escalation. Version 0.15.2 contains a fix for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Clusternet before 0.15.2 allows cluster-level privilege escalation via a service account with overly broad RBAC permissions.
The vulnerability resides in Clusternet's cluster-hub deployment, which runs on worker nodes and uses a service account clusternet-hub bound to the clusternet:hub cluster role. This role grants * verbs on *.* resources, effectively providing superuser access within the Kubernetes cluster [1][2].
An attacker who gains access to a worker node hosting the cluster-hub pod can abuse the service account's credentials to perform any action, including listing all secrets across the cluster. This requires initial access to the node, but no additional authentication, as the service account token is readily available on the node [1][4].
The impact is severe: cluster-level privilege escalation, enabling an attacker to exfiltrate sensitive data, modify resources, or compromise the entire cluster. No authentication is needed beyond node access [1][4].
Version 0.15.2 patches this vulnerability by restricting the RBAC permissions of the clusternet:hub cluster role [2]. Users should update immediately. No workaround is documented, but restricting node access can mitigate exploitation.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/clusternet/clusternetGo | < 0.15.2 | 0.15.2 |
Affected products
3- Range: <0.15.2
- clusternet/clusternetv5Range: < 0.15.2
Patches
1c6bb6a4d5e38bump clusternet images to v0.15.2 (#672)
4 files changed · +4 −4
deploy/agent/clusternet_agent_deployment.yaml+1 −1 modified@@ -51,7 +51,7 @@ spec: operator: Exists containers: - name: clusternet-agent - image: ghcr.io/clusternet/clusternet-agent:v0.15.0 + image: ghcr.io/clusternet/clusternet-agent:v0.15.2 imagePullPolicy: IfNotPresent env: - name: PARENT_URL
deploy/controller-manager/clusternet_controller_manager_deployment.yaml+1 −1 modified@@ -56,7 +56,7 @@ spec: operator: Exists containers: - name: clusternet-controller-manager - image: ghcr.io/clusternet/clusternet-controller-manager:v0.15.0 + image: ghcr.io/clusternet/clusternet-controller-manager:v0.15.2 imagePullPolicy: IfNotPresent env: - name: SYSTEM_NAMESPACE
deploy/hub/clusternet_hub_deployment.yaml+1 −1 modified@@ -64,7 +64,7 @@ spec: operator: Exists containers: - name: clusternet-hub - image: ghcr.io/clusternet/clusternet-hub:v0.15.0 + image: ghcr.io/clusternet/clusternet-hub:v0.15.2 imagePullPolicy: IfNotPresent env: - name: SYSTEM_NAMESPACE
deploy/scheduler/clusternet_scheduler_deployment.yaml+1 −1 modified@@ -34,7 +34,7 @@ spec: operator: Exists containers: - name: clusternet-scheduler - image: ghcr.io/clusternet/clusternet-scheduler:v0.15.0 + image: ghcr.io/clusternet/clusternet-scheduler:v0.15.2 imagePullPolicy: IfNotPresent env: - name: SYSTEM_NAMESPACE
Vulnerability mechanics
Root cause
"The `clusternet:hub` cluster role bound to the `clusternet-hub` service account grants overly permissive `"*" verbs on "*.*"` resources, allowing any user who compromises the worker node running the `cluster-hub` pod to escalate privileges cluster-wide."
Attack vector
An attacker who gains access to a worker node that runs the `cluster-hub` deployment can use the `clusternet-hub` service account's token (mounted inside the pod) to authenticate to the Kubernetes API. Because the `clusternet:hub` cluster role grants `"*" verbs on "*.*"` resources [patch_id=1640839], the attacker can perform any action on any resource, including reading all secrets in the cluster. The precondition is that the attacker must already have node-level access (e.g., via a separate container escape or compromised host).
Affected code
The vulnerability is in the RBAC configuration for the `clusternet-hub` service account in the `clusternet-system` namespace. The `clusternet:hub` cluster role (bound via cluster role binding) grants `"*" verbs on "*.*"` resources, giving full control over all Kubernetes API resources. The patch [patch_id=1640839] updates image tags in `deploy/hub/clusternet_hub_deployment.yaml` and other deployment manifests to v0.15.2, which contains the RBAC fix.
What the fix does
The patch [patch_id=1640839] bumps all clusternet container images from v0.15.0 to v0.15.2. The advisory states that version 0.15.2 contains the fix, but the patch diff shown only updates image tags and does not reveal the underlying RBAC or code changes. The fix presumably restricts the `clusternet:hub` cluster role to the minimum necessary permissions, removing the wildcard `"*" verbs on "*.*"` grant that allowed complete cluster control.
Preconditions
- networkAttacker must have access to a worker node that runs the cluster-hub pod.
- authAttacker must be able to use the clusternet-hub service account token from the compromised node.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-833c-xh79-p429ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-30622ghsaADVISORY
- github.com/clusternet/clusternet/releases/tag/v0.15.2ghsax_refsource_MISCWEB
- github.com/clusternet/clusternet/security/advisories/GHSA-833c-xh79-p429ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.