CVE-2026-24005

Name of the Vulnerable Software and Affected Versions Kruise versions prior to 1.8.3 Kruise versions prior to 1.7.5

Description Kruise allows automated management of applications on Kubernetes. A flaw exists in the PodProbeMarker functionality where the webhook validation does not restrict the 'Host' field in custom probe configurations using TCPSocket or HTTPGet handlers. Because kruise-daemon runs with hostNetwork enabled, it executes probes from the node's network namespace. An attacker with permission to create PodProbeMarkers can specify arbitrary 'Host' values to trigger Server-Side Request Forgery (SSRF) from the node, perform port scanning, and receive response feedback through NodePodProbe status messages. The vulnerability allows access to node-local services, cloud metadata, and internal network resources. The tcpSocket probe remains vulnerable, while httpGet probes are rejected by the webhook in OpenKruise v1.8.0. The vulnerable component is the PodProbeMarker and the affected function is newTCPSocketProber.

Recommendations Versions prior to 1.8.3: Update to version 1.8.3 or later. Versions prior to 1.7.5: Update to version 1.7.5 or later. Restrict PodProbeMarker creation permissions. Apply network policies limiting kruise-daemon egress traffic. Audit existing PodProbeMarker resources.