QSearchQSearch

CVE-2026-44543

8.7 HIGH

Local Path Provisioner provides a way for the Kubernetes users to utilize the local storage in each node

Published: 2026-05-28 · Last updated: 2026-06-08

Severity and scoring

CVSS
8.7 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
CWE
CWE-269

Affected products

VendorProduct
suselocal_path_provisioner

Description

Local Path Provisioner provides a way for the Kubernetes users to utilize the local storage in each node. Prior to 0.0.36, a malicious user with permission to edit the local-path-config ConfigMap in the local-path-storage namespace can manipulate the helperPod.yaml template used by rancher/local-path-provisioner. The helperPod.yaml template is loaded by the provisioner and used to create HelperPods during PVC provisioning and cleanup operations. However, the template is not sufficiently validated before use. Security-sensitive fields such as securityContext.privileged, hostPath volumes, and Linux capabilities can be injected into the template. When a PVC operation triggers HelperPod creation, the provisioner creates the HelperPod using the attacker-controlled template. This can result in a privileged pod running on the target node with the host root filesystem mounted. This may allow the attacker to access sensitive host files, read ServiceAccount tokens from other pods on the same node, access other tenants' local-path volume data, or modify files on the host node. This vulnerability is fixed in 0.0.36.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-31431 In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly r... (7.8 HIGH)
  • CVE-2024-12086 A flaw was found in rsync (6.1 MEDIUM)
  • CVE-2017-5753 Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an... (5.6 MEDIUM)
  • CVE-2015-0192 Unspecified vulnerability in IBM Java 8 before SR1, 7 R1 before SR2 FP11, 7 before SR9, 6 R1 before SR8 FP4, 6 before SR16 FP4, and 5.0 b... (9.8 CRITICAL)
  • CVE-2015-4000 The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DH... (3.7 LOW)

Same CWE

  • CVE-2024-38487 api-gateway container running with root privilege would allow an attacker to escape the container and access host system to perform unint... (7.0 HIGH)
  • CVE-2026-12313 Information disclosure, sandbox escape in the Security: Process Sandboxing component (4.7 MEDIUM)
  • CVE-2026-12289 Privilege escalation in the Graphics: WebRender component (8.8 HIGH)
  • CVE-2026-8176 The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Adminis... (7.5 HIGH)
  • CVE-2025-9912 Nokia SR Linux is vulnerable to a local privilege escalation vulnerability (6.3 MEDIUM)