cbcvebase.
CVE-2026-32241
published 2026-03-27

CVE-2026-32241: Flannel is a network fabric for containers, designed for Kubernetes. The Flannel project includes an experimental Extension backend that allows users to easily…

PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.71%
84.1th percentile
Flannel is a network fabric for containers, designed for Kubernetes. The Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. In versions of Flannel prior to 0.28.2, this Extension backend is vulnerable to a command injection that allows an attacker who can set Kubernetes Node annotations to achieve root-level arbitrary command execution on every flannel node in the cluster. The Extension backend's SubnetAddCommand and SubnetRemoveCommand receive attacker-controlled data via stdin (from the `flannel.alpha.coreos.com/backend-data` Node annotation). The content of this annotation is unmarshalled and piped directly to a shell command without checks. Kubernetes clusters using Flannel with the Extension backend are affected by this vulnerability. Other backends such as vxlan and wireguard are unaffected. The vulnerability is fixed in version v0.28.2. As a workaround, use Flannel with another backend such as vxlan or wireguard.

Affected

3 ranges
VendorProductVersion rangeFixed in
flannel-ioflannel< 0.28.20.28.2
github.comflannel-io_flannel>= 0 < 0.28.20.28.2
msrcazl3_flannel_0.24.2-24_on_azure_linux_3.0

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for unexpected shell command execution spawned by the flannel process, particularly as root, which may indicate exploitation of the Extension backend command injection via Node annotation manipulation.
  • Audit and alert on modifications to the `flannel.alpha.coreos.com/backend-data` Kubernetes Node annotation, as attacker-controlled content in this annotation is the injection vector for root-level arbitrary command execution.
  • Identify Flannel deployments using the Extension backend type, as only this experimental backend is vulnerable; vxlan and wireguard backends are not affected.
  • ·Only Flannel versions prior to 0.28.2 using the experimental Extension backend are vulnerable. The fix is present in v0.28.2.
  • ·The Extension backend is described as experimental. Clusters using vxlan or wireguard backends are not affected and can be used as a workaround.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.