PT-2026-6430 — Github.Com/Cert-Manager/Cert-Manager

PT-2026-6430 · Go · Github.Com/Cert-Manager/Cert-Manager

Published

2026-02-02

Updated

2026-02-02

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact

The cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS.

An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in Denial of Service (DoS) of the cert-manager controller.

The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor.

Patches

The vulnerability was introduced in cert-manager v1.18.0 and has been patched in cert-manager v1.19.3 and v1.18.5, which are the supported minor releases at the time of publishing.

cert-manager versions prior to v1.18.0 are unaffected.

Workarounds

Using DNS-over-HTTPS reduces the risk of DNS traffic being intercepted and modified.
- Note that DNS-over-HTTPS does not prevent the risk of an attacker-controlled authoritative DNS server.

Resources

Fix for cert-manager 1.18: https://github.com/cert-manager/cert-manager/pull/8467
Fix for cert-manager 1.19: https://github.com/cert-manager/cert-manager/pull/8468
Fix for master branch: https://github.com/cert-manager/cert-manager/pull/8469

Credits

Huge thanks to Oleh Konko (@1seal) for reporting the issue, providing a detailed PoC and an initial patch!

Fix

Improper Validation of Array Index

Incorrect Type Conversion or Cast

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-129CWE-704

Related Identifiers

GHSA-GX3X-VQ4P-MHHV

Affected Products

Github.Com/Cert-Manager/Cert-Manager