CVE-2026-29954

HIGH

KubePlus 4.1.4 - chartURL Server-Side Request Forgery and Header Injection

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-29954. PoCs published by b0b0haha.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2026-29954, demonstrating SSRF and header injection vulnerabilities in KubePlus via crafted chartURL parameters. The PoC includes detailed steps for environment setup, exploitation, and verification of the vulnerability.

Description

In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address. More critically, when kubeconfiggenerator uses wget to download charts, the chartURL is directly concatenated into the command, allowing attackers to inject wget's `--header` option to achieve arbitrary HTTP header injection.

Exploits (1)

nomisec WORKING POC
by b0b0haha · poc
https://github.com/b0b0haha/CVE-2026-29954

This repository contains a functional exploit PoC for CVE-2026-29954, demonstrating SSRF and header injection vulnerabilities in KubePlus via crafted chartURL parameters. The PoC includes detailed steps for environment setup, exploitation, and verification of the vulnerability.

Classification
Working Poc 95%
Attack Type
Ssrf
Complexity
Moderate
Reliability
Reliable
Target: KubePlus v4.2.0
Auth required
Prerequisites: Kind cluster · KubePlus v4.2.0 installed · Provider privileges · Callback server for verification
devstral-2 · analyzed Apr 28, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.6
EPSS 0.0027
EPSS Percentile 18.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-88 CWE-918
Status published
Products (2)
cloudark/kubeplus 4.1.4
n/a/n/a
Published Mar 30, 2026
Tracked Since Mar 30, 2026