Bug 2488412 (CVE-2026-47190) - CVE-2026-47190 github.com/metal3-io/ip-address-manager: Cluster API Provider Metal3 IPAM: Information disclosure via excessive permissions on Secrets
Summary: CVE-2026-47190 github.com/metal3-io/ip-address-manager: Cluster API Provider ...
Keywords:
Status: NEW
Alias: CVE-2026-47190
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-12 16:01 UTC by OSIDB Bzimport
Modified: 2026-06-16 10:44 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-12 16:01:36 UTC
IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were compromised (e.g. via supply chain attack or container escape), an attacker could leverage these excessive permissions to read, modify, or delete Secrets in the namespace, potentially exposing credentials and other sensitive data. This issue has been patched in versions 1.11.7, 1.12.4, and 1.13.0.


Note You need to log in before you can comment on or make changes to this bug.