{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32241", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T14:47:05.684Z", "datePublished": "2026-03-27T19:31:48.276Z", "dateUpdated": "2026-03-27T19:31:48.276Z"}, "containers": {"cna": {"title": "Flannel vulnerable to cross-node remote code execution via extension backend BackendData injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "lang": "en", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/flannel-io/flannel/security/advisories/GHSA-vchx-5pr6-ffx2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/flannel-io/flannel/security/advisories/GHSA-vchx-5pr6-ffx2"}, {"name": "https://github.com/flannel-io/flannel/releases/tag/v0.28.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/flannel-io/flannel/releases/tag/v0.28.2"}], "affected": [{"vendor": "flannel-io", "product": "flannel", "versions": [{"version": "< 0.28.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:31:48.276Z"}, "descriptions": [{"lang": "en", "value": "Flannel is a network fabric for containers, designed for Kubernetes. The Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. In versions of Flannel prior to 0.28.2, this Extension backend is vulnerable to a command injection that allows an attacker who can set Kubernetes Node annotations to achieve root-level arbitrary command execution on every flannel node in the cluster. The Extension backend's SubnetAddCommand and SubnetRemoveCommand receive attacker-controlled data via stdin (from the `flannel.alpha.coreos.com/backend-data` Node annotation). The content of this annotation is unmarshalled and piped directly to a shell command without checks. Kubernetes clusters using Flannel with the Extension backend are affected by this vulnerability. Other backends such as vxlan and wireguard are unaffected. The vulnerability is fixed in version v0.28.2. As a workaround, use Flannel with another backend such as vxlan or wireguard."}], "source": {"advisory": "GHSA-vchx-5pr6-ffx2", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Flannel is a network fabric for containers, designed for Kubernetes. The Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. In versions of Flannel prior to 0.28.2, this Extension backend is vulnerable to a command injection that allows an attacker who can set Kubernetes Node annotations to achieve root-level arbitrary command execution on every flannel node in the cluster. The Extension backend's SubnetAddCommand and SubnetRemoveCommand receive attacker-controlled data via stdin (from the `flannel.alpha.coreos.com/backend-data` Node annotation). The content of this annotation is unmarshalled and piped directly to a shell command without checks. Kubernetes clusters using Flannel with the Extension backend are affected by this vulnerability. Other backends such as vxlan and wireguard are unaffected. The vulnerability is fixed in version v0.28.2. As a workaround, use Flannel with another backend such as vxlan or wireguard."}], "id": "CVE-2026-32241", "lastModified": "2026-03-27T20:16:30.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T20:16:30.570", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/flannel-io/flannel/releases/tag/v0.28.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/flannel-io/flannel/security/advisories/GHSA-vchx-5pr6-ffx2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T20:21:00.400731+00:00", "value": {"mitigation_remediation": ["Upgrade Flannel to version 0.28.2 or later.", "If an upgrade is not possible, reconfigure Flannel to use the vxlan or wireguard backend instead of the Extension backend.", "Restrict or disable the ability for non\u2011admin users to set \"flannel.alpha.coreos.com/backend-data\" annotations on nodes.", "Verify that all Kubernetes nodes run the fixed version or are migrated to an unaffected backend before enabling any annotation\u2011based configuration."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "The flaw impacts the flannel\u2011io Flannel project for all releases prior to 0.28.2 when the Extension backend is enabled. Nodes configured with the Extension backend are affected. Stand\u2011alone backends such as vxlan and wireguard remain unaffected.", "description_and_impact": "Flannel, the networking fabric for Kubernetes, contains a command injection vulnerability in its experimental Extension backend. By inserting crafted data into the Kubernetes Node annotation \"flannel.alpha.coreos.com/backend-data\", an attacker can have the unvalidated string streamed into a shell command. The result is arbitrary command execution with root privileges on every Flannel node in the cluster. This weakness is a classic command injection (CWE\u201177) and carries a high severity, with a CVSS score of 7.5.", "risk_and_exploitability": "The vulnerability is not listed in CISA\u2019s KEV catalog and an EPSS score is not provided, so the exact likelihood of exploitation is unknown. However, the attack path is straightforward for anyone who can write or modify Node annotations, which typically requires cluster administrator privileges. Given the 7.5 CVSS score, the risk to confidentiality, integrity, and availability is significant if the vulnerability is exploited."}}}}, "created": "2026-03-27T20:27:31.373302+00:00", "updated": "2026-03-27T20:27:31.373332+00:00", "vendors": []}