CVE-2026-32241
Description
Flannel is a network fabric for containers, designed for Kubernetes. The Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. In versions of Flannel prior to 0.28.2, this Extension backend is vulnerable to a command injection that allows an attacker who can set Kubernetes Node annotations to achieve root-level arbitrary command execution on every flannel node in the cluster. The Extension backend's SubnetAddCommand and SubnetRemoveCommand receive attacker-controlled data via stdin (from the flannel.alpha.coreos.com/backend-data Node annotation). The content of this annotation is unmarshalled and piped directly to a shell command without checks. Kubernetes clusters using Flannel with the Extension backend are affected by this vulnerability. Other backends such as vxlan and wireguard are unaffected. The vulnerability is fixed in version v0.28.2. As a workaround, use Flannel with another backend such as vxlan or wireguard.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/flannel-io/flannelGo | < 0.28.2 | 0.28.2 |
Affected products
11- osv-coords10 versionspkg:apk/chainguard/k3spkg:apk/chainguard/k3s-1.32pkg:apk/chainguard/k3s-staticpkg:apk/chainguard/k3s-static-1.32pkg:apk/wolfi/k3spkg:apk/wolfi/k3s-1.32pkg:apk/wolfi/k3s-staticpkg:apk/wolfi/k3s-static-1.32pkg:golang/github.com/flannel-io/flannelpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 1.35.2.1-r5+ 9 more
- (no CPE)range: < 1.35.2.1-r5
- (no CPE)range: < 1.32.13.1-r8
- (no CPE)range: < 1.35.2.1-r5
- (no CPE)range: < 1.32.13.1-r8
- (no CPE)range: < 1.35.2.1-r5
- (no CPE)range: < 1.32.13.1-r8
- (no CPE)range: < 1.35.2.1-r5
- (no CPE)range: < 1.32.13.1-r8
- (no CPE)range: < 0.28.2
- (no CPE)range: < 0.0.20260402T184258-150000.1.158.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-vchx-5pr6-ffx2ghsaADVISORY
- github.com/flannel-io/flannel/security/advisories/GHSA-vchx-5pr6-ffx2nvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-32241ghsaADVISORY
- github.com/flannel-io/flannel/commit/08bc9a4c990ae785d2fcb448f4991b58485cd26aghsaWEB
- github.com/flannel-io/flannel/releases/tag/v0.28.2nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.