CVE-2026-47190

Published: Jun 12, 2026Modified: Jun 12, 2026

4.4

Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Exploitability: 0.7 / Impact: 3.6

Source: security-advisories@github.com (Secondary)

Description

IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were compromised (e.g. via supply chain attack or container escape), an attacker could leverage these excessive permissions to read, modify, or delete Secrets in the namespace, potentially exposing credentials and other sensitive data. This issue has been patched in versions 1.11.7, 1.12.4, and 1.13.0.

Related CWEs

CWE-250

Execution with Unnecessary Privileges

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

References (4)

https://github.com/metal3-io/ip-address-manager/pull/1355

Source: security-advisories@github.com

https://github.com/metal3-io/ip-address-manager/pull/1356

Source: security-advisories@github.com

https://github.com/metal3-io/ip-address-manager/pull/1357

Source: security-advisories@github.com

https://github.com/metal3-io/ip-address-manager/security/advisories/GHSA-49pm-43hf-6xfq

Source: security-advisories@github.com

Timeline

No history available yet.