PT-2026-39897 · Unknown · Local-Path-Provisioner
B0B0Haha
+1
·
Published
2026-05-11
·
Updated
2026-06-25
·
CVE-2026-44543
CVSS v3.1
8.7
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
local-path-provisioner versions prior to 0.0.36
Description
A malicious user with permissions to edit the
local-path-config ConfigMap in the local-path-storage namespace can manipulate the helperPod.yaml template. This template is used to create HelperPods during PVC provisioning and cleanup operations but is not sufficiently validated before use. An attacker can inject security-sensitive fields such as securityContext.privileged, hostPath volumes, and Linux capabilities into the template. When a PVC operation triggers the creation of a HelperPod, the provisioner uses the attacker-controlled template, potentially resulting in a privileged pod running on the target node with the host root filesystem mounted. This allows the attacker to access sensitive host files, read ServiceAccount tokens from other pods on the same node, access other tenants' local-path volume data, or modify files on the host node.Recommendations
Update to version 0.0.36 or later.
Restrict write access to the
local-path-config ConfigMap in the local-path-storage namespace to trusted administrators only.
Mark the local-path-config ConfigMap as immutable.
Enable Kubernetes Pod Security Admission for the local-path-storage namespace by enforcing the baseline policy to prevent the creation of privileged HelperPods.Exploit
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Local-Path-Provisioner