IPAM controller service account granted unnecessary full access to Secrets
CVE-2026-47190

4.4MEDIUM

Key Information:

Vendor

Metal3-io

Status
Ip-address-manager
Vendor
CVE Published:
12 June 2026

What is CVE-2026-47190?

IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were compromised (e.g. via supply chain attack or container escape), an attacker could leverage these excessive permissions to read, modify, or delete Secrets in the namespace, potentially exposing credentials and other sensitive data. This issue has been patched in versions 1.11.7, 1.12.4, and 1.13.0.

Affected Version(s)

ip-address-manager < 1.11.7 < 1.11.7

ip-address-manager < 1.12.4 < 1.12.4

ip-address-manager < 1.13.0 < 1.13.0

References

https://github.com/metal3-io/ip-address-manager/security/...
x_refsource_CONFIRM
https://github.com/metal3-io/ip-address-manager/pull/1355
x_refsource_MISC
https://github.com/metal3-io/ip-address-manager/pull/1356
x_refsource_MISC

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.