cvedb.io
CVE-2026-47190
MEDIUM · CVSS 4.4
EPSS exploitation probability: 0%
Published 2026-06-12T16:16:29.643 · Last modified 2026-06-17T14:47:13.983

Summary

IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were compromised (e.g. via supply chain attack or container escape), an attacker could leverage these excessive permissions to read, modify, or delete Secrets in the namespace, potentially exposing credentials and other sensitive data. This issue has been patched in versions 1.11.7, 1.12.4, and 1.13.0.

Affected products

metal3 — ip-address-manager

Does this affect you?

Add your gear to cvedb and we'll alert you only when metal3 ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.