PT-2026-37207 — Deserialization of Untrusted Data in Go Github.Com/K8Sgpt-Ai/K8Sgpt

PT-2026-37207 · Go · Github.Com/K8Sgpt-Ai/K8Sgpt

Published

2026-04-24

Updated

2026-04-24

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

In the auto-remediation pipeline, object to execution.go was deserializing the AI-generated YAML directly into a Deployment object, but there was lack of validation from the original Deployment object.

Details

This issue was fixed after coordination with Alex Jones.

PoC

To minimize the impact, the PoC of this vulnerability wasn't released, but was shared with the maintainers.

Fix

Deserialization of Untrusted Data

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-915CWE-20

Related Identifiers

GHSA-RP7V-4384-HFRP

Affected Products

Github.Com/K8Sgpt-Ai/K8Sgpt