Kubernetes Remote Code Execution via Nodes/Proxy Get Permission
3 months ago
- #Vulnerability
- #Security
- #Kubernetes
- Kubernetes vulnerability allows code execution on every Pod in clusters using nodes/proxy GET permissions.
- The vulnerability affects Kubernetes versions v1.34 and v1.35, requiring network access to the Kubelet API (Port 10250).
- Exploitation involves using WebSockets to bypass CREATE permission checks, executing commands in any Pod, including privileged system Pods.
- 69 Helm charts are identified as affected, including notable ones like prometheus-community/prometheus and grafana/promtail.
- Kubernetes Security Team closed the report as 'Won’t Fix', stating the behavior is working as intended.
- KEP-2862 (Fine-Grained Kubelet API Authorization) is recommended as a future solution but is currently in Beta and not GA.
- Detection script provided to check for vulnerable service accounts in clusters.
- Proof of Concept (PoC) script demonstrates command execution in Pods using nodes/proxy GET permissions.
- Disclosure timeline shows initial report on November 1, 2025, and public disclosure on January 26, 2026.
- Appendix lists 69 affected Helm charts with links for further inspection.