CVE-2026-32241

Name of the Vulnerable Software and Affected Versions Flannel versions prior to 0.28.2

Description Flannel, a network fabric for containers designed for Kubernetes, contains a command injection issue in its experimental Extension backend. An attacker who can set Kubernetes Node annotations can achieve root-level arbitrary command execution on every flannel node in the cluster. The Extension backend’s SubnetAddCommand and SubnetRemoveCommand receive attacker-controlled data via stdin from the flannel.alpha.coreos.com/backend-data Node annotation, which is then piped directly to a shell command without validation. Kubernetes clusters using Flannel with the Extension backend are affected; other backends like vxlan and wireguard are not impacted.

Recommendations Versions prior to 0.28.2 should be updated to version 0.28.2 or later. As a workaround, use Flannel with a different backend such as vxlan or wireguard.