CVE-2026-47190
MEDIUMIPAM controller service account granted unnecessary full access to Secrets
Title source: cnaDescription
IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were compromised (e.g. via supply chain attack or container escape), an attacker could leverage these excessive permissions to read, modify, or delete Secrets in the namespace, potentially exposing credentials and other sensitive data. This issue has been patched in versions 1.11.7, 1.12.4, and 1.13.0.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/metal3-io/ip-address-manager/security/advisories/GHSA-49pm-43hf-6xfq
X_Refsource_Misc x_refsource_misc
https://github.com/metal3-io/ip-address-manager/pull/1355
X_Refsource_Misc x_refsource_misc
https://github.com/metal3-io/ip-address-manager/pull/1356
X_Refsource_Misc x_refsource_misc
https://github.com/metal3-io/ip-address-manager/pull/1357
Scores
CVSS v3
4.4
EPSS
0.0042
EPSS Percentile
33.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-250
Status
published
Products (5)
metal3-io/ip-address-manager
0 - 1.11.7Go
metal3-io/ip-address-manager
1.12.0 - 1.12.4Go
metal3-io/ip-address-manager
< 1.11.7
metal3-io/ip-address-manager
< 1.12.4
metal3-io/ip-address-manager
< 1.13.0
Published
Jun 12, 2026
Tracked Since
Jun 12, 2026