GHSA-vchx-5pr6-ffx2

Source

https://github.com/advisories/GHSA-vchx-5pr6-ffx2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vchx-5pr6-ffx2/GHSA-vchx-5pr6-ffx2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vchx-5pr6-ffx2

Aliases

Related

CGA-8mfx-36h4-r3x4

Published

2026-03-27T20:28:13Z

Modified

2026-04-02T21:26:18.487700497Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Flannel has cross-node remote code execution via extension backend BackendData injection

Details

Background

The Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. This backend uses shell commands stored in Kubernetes annotations to configure network connectivity on the node.

Note: consumers are only affected by this vulnerability if they use the experimental Extension backend. Other backends such as vxlan and wireguard are unaffected.

Vulnerability

This Extension backend is vulnerable to a command injection that allows an attacker who can set Kubernetes Node annotations to achieve root-level arbitrary command execution on every flannel node in the cluster.

The Extension backend's SubnetAddCommand and SubnetRemoveCommand receive attacker-controlled data via stdin (from the flannel.alpha.coreos.com/backend-data Node annotation). The content of this annotation is unmarshalled and piped directly to a shell command without checks.

Impact

Kubernetes clusters using Flannel with the Extension backend are affected by this vulnerability. Other backends such as vxlan and wireguard are unaffected.

Patches

This is fixed in version v0.28.2.

Workaround

If consumers cannot update to a patched version, then use Flannel with another backend such as vxlan or wireguard.

Credits

Flannel would like to thank Shachar Tal from Palo Alto Networks for reporting this vulnerability.

Database specific

{
    "severity": "HIGH",
    "github_reviewed_at": "2026-03-27T20:28:13Z",
    "github_reviewed": true,
    "nvd_published_at": "2026-03-27T20:16:30Z",
    "cwe_ids": [
        "CWE-77",
        "CWE-78"
    ]
}

References

Affected packages

Go / github.com/flannel-io/flannel

Package

Name: github.com/flannel-io/flannel; View open source insights on deps.dev
Purl: pkg:golang/github.com/flannel-io/flannel

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.28.2

Database specific

last_known_affected_version_range

"<= 0.28.1"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vchx-5pr6-ffx2/GHSA-vchx-5pr6-ffx2.json"