CVE-2026-47190
Essential information
- Published
- 12/06/2026 18:16
- Modified
- 12/06/2026 16:24
- Author
- The MITRE Corporation
- Creator
- The MITRE Corporation
- CVSS
- 4.4 MEDIUM (v3.1)
- CISA KEV
- No
- CWE
- CWE-250
- EPSS (First)
- P8.9% EPSS percentile: rank of this vulnerability versus all others. Higher percentile = more likely to be exploited. Learn more (score 0.00029)
- CVSS vector
-
—
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N—
CVSS metrics
- Access vector
- —
- Access complexity
- —
- Authentication
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploitability
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- Network
- Attack complexity
- High
- Privileges required
- High
- User interaction
- None
- Scope
- Unchanged
- Confidentiality impact
- High
- Integrity impact
- None
- Availability impact
- None
- Exploit code maturity
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- —
- Attack complexity
- —
- Attack requirements
- —
- Privileges required
- —
- User interaction
- —
- Confidentiality (V)
- —
- Confidentiality (S)
- —
- Integrity (V)
- —
- Integrity (S)
- —
- Availability (V)
- —
- Availability (S)
- —
- Exploit maturity
- —
Description
IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were compromised (e.g. via supply chain attack or container escape), an attacker could leverage these excessive permissions to read, modify, or delete Secrets in the namespace, potentially exposing credentials and other sensitive data. This issue has been patched in versions 1.11.7, 1.12.4, and 1.13.0.
NVD status
- Status
- Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
- Source
- [email protected]
- NVD
- View on NVD
Affected products (CPE)
| Product | CPE |
|---|---|
| metal3 / ip address manager | cpe:2.3:a:metal3:ip_address_manager:<1.11.7:*:*:*:*:*:*:* |
| metal3 / ip address manager | cpe:2.3:a:metal3:ip_address_manager:<1.12.4:*:*:*:*:*:*:* |
| metal3 / ip address manager | cpe:2.3:a:metal3:ip_address_manager:<1.13.0:*:*:*:*:*:*:* |