CVE-2026-47190

June 12, 2026, 4:24 p.m.

4.4
Medium

Description

IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were compromised (e.g. via supply chain attack or container escape), an attacker could leverage these excessive permissions to read, modify, or delete Secrets in the namespace, potentially exposing credentials and other sensitive data. This issue has been patched in versions 1.11.7, 1.12.4, and 1.13.0.

Product(s) Impacted

Vendor Product Versions
Metal3
  • Ip Address Manager
  • <1.11.7, <1.12.4, <1.13.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-250
Execution with Unnecessary Privileges
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a metal3 ip_address_manager <1.11.7 / / / / / / /
a metal3 ip_address_manager <1.12.4 / / / / / / /
a metal3 ip_address_manager <1.13.0 / / / / / / /

References

https://github.com/metal3-io/ip-address-manager/pull/1355
https://github.com/metal3-io/ip-address-manager/pull/1356
https://github.com/metal3-io/ip-address-manager/pull/1357
https://github.com/metal3-io/ip-address-manager/security/advisories/GHSA-49pm-43hf-6xfq

Tags

[email protected]
CWE-250
2026-06-12
CVE-2026-47190

CVSS Score

4.4 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: HIGH
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

    View Vector String

Timeline

Published: June 12, 2026, 4:16 p.m.
Last Modified: June 12, 2026, 4:24 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.