CVE-2026-32254

Name of the Vulnerable Software and Affected Versions Kube-router versions prior to 2.8.0

Description Kube-router's proxy module does not validate externalIPs or loadBalancer IPs before programming them into the node's network configuration. This impacts multi-tenant clusters where untrusted users have namespace-scoped permissions to create or modify Services. The buildServicesInfo() function copies IPs from Service.spec.externalIPs and status.loadBalancer.ingress without validating them against the --service-external-ip-range parameter. An attacker can bind arbitrary VIPs on all cluster nodes or cause denial of service to critical cluster services such as kube-dns. The --service-external-ip-range parameter is only used by the netpol module and is not checked by the proxy module. This allows attackers to potentially hijack traffic or disrupt DNS services. The vulnerability can be exploited by creating a Service with an externalIP matching the kube-dns ClusterIP, redirecting all DNS queries to attacker-controlled pods. The issue is not unique to kube-router, as the upstream Kubernetes project identified a similar issue as CVE-2020-8554.

Recommendations Update to Kube-router version 2.8.0 or later.