IPAM controller service account granted unnecessary full access to Secrets

4.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Description

IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were compromised (e.g. via supply chain attack or container escape), an attacker could leverage these excessive permissions to read, modify, or delete Secrets in the namespace, potentially exposing credentials and other sensitive data. This issue has been patched in versions 1.11.7, 1.12.4, and 1.13.0.

Basic Information

ID CVE-2026-47190

Source GitHub_M

Published Jun 12, 2026 at 14:49

Affected Product

Vendor metal3-io

Product ip-address-manager

Version < 1.11.7

Affected Versions metal3-io ip-address-manager < 1.11.7
metal3-io ip-address-manager < 1.12.4
metal3-io ip-address-manager < 1.13.0

CWE Classification

CWE-250

References

{
    "lastseen": "",
    "description": "IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were compromised (e.g. via supply chain attack or container escape), an attacker could leverage these excessive permissions to read, modify, or delete Secrets in the namespace, potentially exposing credentials and other sensitive data. This issue has been patched in versions 1.11.7, 1.12.4, and 1.13.0.",
    "published": "2026-06-12T14:49:51.732Z",
    "modified": "2026-06-12T14:49:51.732Z",
    "type": "cve",
    "title": "IPAM controller service account granted unnecessary full access to Secrets",
    "source": "GitHub_M",
    "references": "https://github.com/metal3-io/ip-address-manager/security/advisories/GHSA-49pm-43hf-6xfq\nhttps://github.com/metal3-io/ip-address-manager/pull/1355\nhttps://github.com/metal3-io/ip-address-manager/pull/1356\nhttps://github.com/metal3-io/ip-address-manager/pull/1357",
    "id": "CVE-2026-47190",
    "bulletinFamily": "",
    "cwe": [
        "CWE-250"
    ],
    "cvelist": null,
    "sourceData": "metal3-io ip-address-manager < 1.11.7\nmetal3-io ip-address-manager < 1.12.4\nmetal3-io ip-address-manager < 1.13.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ip-address-manager",
    "version": "< 1.11.7",
    "vendor": "metal3-io",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

IPAM controller service account granted unnecessary full access to Secrets_CVE-2026-47190