Gardener vulnerable to metadata injection for a project secret that can lead to privilege escalation
Description
Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in the gardenlet component of Gardener prior to versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0. It could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed. This CVE affects all Gardener installations where gardener/gardener-extension-provider-gcp is in use. Versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A vulnerability in Gardener's gardenlet allows project admins to escalate privileges and gain control over seed clusters via metadata injection.
The vulnerability resides in the gardenlet component of Gardener, which manages Kubernetes clusters as a service. It stems from improper handling of metadata in project secrets, allowing a user with administrative privileges for a Gardener project to inject arbitrary metadata. This metadata is then processed by gardenlet without proper validation, leading to privilege escalation. The issue affects Gardener installations using the gardener-extension-provider-gcp extension [1][3].
To exploit this vulnerability, an attacker must already have administrative privileges within a Gardener project. By crafting malicious metadata in project secrets, the attacker can cause gardenlet to grant them control over the seed cluster(s) that host their shoot clusters. No further authentication is needed, as the attacker already possesses the required privileges at the project level [1].
Successful exploitation allows the attacker to gain full control of the underlying seed cluster. This compromises the isolation between different Gardener projects and can lead to unauthorized access to other shoot clusters managed by the same seed. Confidentiality, integrity, and availability of the seed cluster and its workloads are at risk [1][3].
Gardener has released fixed versions: 1.116.4, 1.117.5, 1.118.2, and 1.119.0. Users should upgrade to these versions immediately. No workarounds are documented; the only mitigation is applying the patch [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gardener/gardenerGo | < 1.116.4 | 1.116.4 |
github.com/gardener/gardenerGo | >= 1.117.0, < 1.117.5 | 1.117.5 |
github.com/gardener/gardenerGo | >= 1.118.0, < 1.118.2 | 1.118.2 |
Affected products
4- Range: <1.116.4 / <1.117.5 / <1.118.2 / <1.119.0 (implicit via Gardener version)
- gardener/gardenerv5Range: < 1.116.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-9x73-87fh-54w9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-47284ghsaADVISORY
- github.com/gardener/gardener/security/advisories/GHSA-9x73-87fh-54w9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.