Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
7.6

OpenKruise PodProbeMarker allows attackers to scan network from nodes

CVE-2026-24005 GHSA-9fj4-3849-rv9g GHSA-9fj4-3849-rv9g
Summary

A security issue in OpenKruise's PodProbeMarker allows an attacker with permission to create probes to scan any network from the Kubernetes node. This could allow an attacker to gather information about the network and potentially connect to unauthorized systems. To fix this issue, update to version 1.8.3 or 1.7.5 of OpenKruise.

What to do
  • Update github.com openkruise to version 1.8.3.
  • Update github.com openkruise to version 1.7.5.
  • Update openkruise github.com/openkruise/kruise to version 1.8.3.
  • Update openkruise github.com/openkruise/kruise to version 1.7.5.
Affected software
VendorProductAffected versionsFix available
github.com openkruise > 1.8.0 , <= 1.8.3 1.8.3
github.com openkruise <= 1.7.5 1.7.5
openkruise kruise <= 1.7.5
openkruise kruise > 1.8.0 , <= 1.8.3
openkruise github.com/openkruise/kruise > 1.8.0 , <= 1.8.3 1.8.3
openkruise github.com/openkruise/kruise <= 1.7.5 1.7.5
Original title
OpenKruise PodProbeMarker is Vulnerable to SSRF via Unrestricted Host Field
Original description
Kruise provides automated management of large-scale applications on Kubernetes. Prior to versions 1.8.3 and 1.7.5, PodProbeMarker allows defining custom probes with TCPSocket or HTTPGet handlers. The webhook validation does not restrict the Host field in these probe configurations. Since kruise-daemon runs with hostNetwork=true, it executes probes from the node network namespace. An attacker with PodProbeMarker creation permission can specify arbitrary Host values to trigger SSRF from the node, perform port scanning, and receive response feedback through NodePodProbe status messages. Versions 1.8.3 and 1.7.5 patch the issue.
nvd CVSS3.1 7.6
Vulnerability type
CWE-918 Server-Side Request Forgery (SSRF)
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026