Platform
go
Component
github.com/openkruise/kruise
Fixed in
1.8.1
1.7.6
1.8.3
1.7.5
CVE-2026-24005 describes a Server-Side Request Forgery (SSRF) vulnerability within the PodProbeMarker component of OpenKruise. This flaw allows an attacker to potentially trigger outbound requests through the vulnerable component, leading to unauthorized access to internal resources. The vulnerability impacts OpenKruise versions before 1.7.5 and has been addressed with an upgrade.
The SSRF vulnerability in OpenKruise PodProbeMarker allows an attacker to craft malicious PodProbeMarker configurations that include an unrestricted 'host' field. This field, intended for specifying the target host for probes, can be exploited to make arbitrary HTTP requests from within the Kubernetes cluster. Successful exploitation could allow an attacker to scan internal services, access sensitive data stored in internal databases, or even interact with other internal systems without proper authentication. The blast radius is limited to the internal network accessible from the PodProbeMarker, but the potential for data exposure and lateral movement within the cluster remains a significant concern. While the CVSS score is low, the ease of exploitation and potential for internal reconnaissance make this a noteworthy security risk.
CVE-2026-24005 was published on 2026-02-27. Its CVSS score is 2.5 (LOW), indicating a relatively low probability of exploitation. No public Proof-of-Concept (POC) code has been publicly released as of this writing. The vulnerability is not currently listed on KEV (Kernel Exploitability Vulnerability) or EPSS (Exploit Prediction Scoring System). Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24005 is to upgrade OpenKruise to version 1.7.5 or later. This version includes a fix that restricts the host field in PodProbeMarker configurations, preventing the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing network policies within your Kubernetes cluster to restrict outbound traffic from PodProbeMarker pods to only necessary destinations. Additionally, review and validate all existing PodProbeMarker configurations to ensure they do not contain unrestricted host fields. After upgrading, confirm the fix by deploying a test PodProbeMarker with a deliberately invalid host and verifying that the probe fails as expected, rather than initiating an outbound request.
Actualice OpenKruise a la versión 1.8.3 o superior, o a la versión 1.7.5 o superior, para corregir la vulnerabilidad SSRF en PodProbeMarker. Esto evitará que atacantes con permisos de creación de PodProbeMarker ejecuten SSRF desde el nodo.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24005 is a Server-Side Request Forgery (SSRF) vulnerability in the PodProbeMarker component of OpenKruise, allowing attackers to initiate outbound requests. It affects versions before 1.7.5 and has a CVSS score of 2.5 (LOW).
You are affected if you are running OpenKruise versions prior to 1.7.5 and are using the PodProbeMarker component. Check your version and upgrade if necessary.
Upgrade OpenKruise to version 1.7.5 or later. As a temporary workaround, implement network policies to restrict outbound traffic from PodProbeMarker pods.
As of now, there are no public reports of active exploitation campaigns targeting CVE-2026-24005, but continuous monitoring is recommended.
Refer to the OpenKruise project's official security advisories and release notes for detailed information and updates regarding CVE-2026-24005: [https://github.com/openkruise/kruise/security/advisories](https://github.com/openkruise/kruise/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.