CVE-2026-32241
published 2026-03-27CVE-2026-32241: Flannel is a network fabric for containers, designed for Kubernetes. The Flannel project includes an experimental Extension backend that allows users to easily…
PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.71%
84.1th percentile
Flannel is a network fabric for containers, designed for Kubernetes. The Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. In versions of Flannel prior to 0.28.2, this Extension backend is vulnerable to a command injection that allows an attacker who can set Kubernetes Node annotations to achieve root-level arbitrary command execution on every flannel node in the cluster. The Extension backend's SubnetAddCommand and SubnetRemoveCommand receive attacker-controlled data via stdin (from the `flannel.alpha.coreos.com/backend-data` Node annotation). The content of this annotation is unmarshalled and piped directly to a shell command without checks. Kubernetes clusters using Flannel with the Extension backend are affected by this vulnerability. Other backends such as vxlan and wireguard are unaffected. The vulnerability is fixed in version v0.28.2. As a workaround, use Flannel with another backend such as vxlan or wireguard.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flannel-io | flannel | < 0.28.2 | 0.28.2 |
| github.com | flannel-io_flannel | >= 0 < 0.28.2 | 0.28.2 |
| msrc | azl3_flannel_0.24.2-24_on_azure_linux_3.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unexpected shell command execution spawned by the flannel process, particularly as root, which may indicate exploitation of the Extension backend command injection via Node annotation manipulation. ↗
- →Audit and alert on modifications to the `flannel.alpha.coreos.com/backend-data` Kubernetes Node annotation, as attacker-controlled content in this annotation is the injection vector for root-level arbitrary command execution. ↗
- →Identify Flannel deployments using the Extension backend type, as only this experimental backend is vulnerable; vxlan and wireguard backends are not affected. ↗
- ·Only Flannel versions prior to 0.28.2 using the experimental Extension backend are vulnerable. The fix is present in v0.28.2. ↗
- ·The Extension backend is described as experimental. Clusters using vxlan or wireguard backends are not affected and can be used as a workaround. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Flannel has cross-node remote code execution via extension backend BackendData injection in github.com/flannel-io/flannel
osv·2026-04-02
CVE-2026-32241 Flannel has cross-node remote code execution via extension backend BackendData injection in github.com/flannel-io/flannel
Flannel has cross-node remote code execution via extension backend BackendData injection in github.com/flannel-io/flannel
Flannel has cross-node remote code execution via extension backend BackendData injection in github.com/flannel-io/flannel
OSV
Flannel has cross-node remote code execution via extension backend BackendData injection
osv·2026-03-27
CVE-2026-32241 [HIGH] Flannel has cross-node remote code execution via extension backend BackendData injection
Flannel has cross-node remote code execution via extension backend BackendData injection
### Background
The Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. This backend uses shell commands stored in Kubernetes annotations to configure network connectivity on the node.
Note: consumers are only affected by this vulnerability if they use the experimental Extension backend. Other backends such as vxlan and wireguard are unaffected.
### Vulnerability
This Extension backend is vulnerable to a command injection that allows an attacker who can set Kubernetes Node annotations to achieve root-level arbitrary command execution on every flannel node in the cluster.
The Extension backend's SubnetAddCommand and SubnetRemoveCommand r
GHSA
Flannel has cross-node remote code execution via extension backend BackendData injection
ghsa·2026-03-27
CVE-2026-32241 [HIGH] CWE-77 Flannel has cross-node remote code execution via extension backend BackendData injection
Flannel has cross-node remote code execution via extension backend BackendData injection
### Background
The Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. This backend uses shell commands stored in Kubernetes annotations to configure network connectivity on the node.
Note: consumers are only affected by this vulnerability if they use the experimental Extension backend. Other backends such as vxlan and wireguard are unaffected.
### Vulnerability
This Extension backend is vulnerable to a command injection that allows an attacker who can set Kubernetes Node annotations to achieve root-level arbitrary command execution on every flannel node in the cluster.
The Extension backend's SubnetAddCommand and SubnetRemoveCommand r
Microsoft
Flannel vulnerable to cross-node remote code execution via extension backend BackendData injection
vendor_msrc·2026-03-10·CVSS 7.5
CVE-2026-32241 [HIGH] CWE-77 Flannel vulnerable to cross-node remote code execution via extension backend BackendData injection
Flannel vulnerable to cross-node remote code execution via extension backend BackendData injection
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
No detection rules found.
No public exploits indexed.
2026-03-27
Published