PT-2026-45027 · Go+1 · Github.Com/Metal3-Io/Ip-Address-Manager+1
Published
2026-05-29
·
Updated
2026-06-12
·
CVE-2026-47190
CVSS v3.1
4.4
Medium
| Vector | AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
IPAM versions prior to 1.11.7
IPAM versions prior to 1.12.4
IPAM versions prior to 1.13.0
Description
The IPAM controller's ClusterRole grants excessive CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets, despite the controller not requiring access to Secrets during normal operation. If the controller pod is compromised through a container escape or supply chain attack, an attacker could use these permissions to read, modify, or delete Secrets within the namespace, leading to the potential exposure of credentials and sensitive data.
Recommendations
Update to version 1.11.7
Update to version 1.12.4
Update to version 1.13.0
As a temporary workaround, manually remove the Secrets resource entry from the
metal3-ipam-controller-manager-role ClusterRole.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Metal3-Io/Ip-Address-Manager
Ip Address Manager