{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/local-path-provisioner--0.0.34/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["local-path-provisioner (\u003c 0.0.34)"],"_cs_severities":["high"],"_cs_tags":["kubernetes","privilege-escalation","template-injection"],"_cs_type":"advisory","_cs_vendors":["Rancher","SUSE"],"content_html":"\u003cp\u003eThe Rancher local-path-provisioner is vulnerable to a HelperPod template injection. A malicious user with the ability to modify the \u003ccode\u003elocal-path-config\u003c/code\u003e ConfigMap in the \u003ccode\u003elocal-path-storage\u003c/code\u003e namespace can manipulate the \u003ccode\u003ehelperPod.yaml\u003c/code\u003e template. This template is used by the provisioner to create HelperPods during PersistentVolumeClaim (PVC) provisioning and cleanup. The vulnerability stems from insufficient validation of the \u003ccode\u003ehelperPod.yaml\u003c/code\u003e template, which allows the injection of security-sensitive fields like \u003ccode\u003esecurityContext.privileged\u003c/code\u003e, \u003ccode\u003ehostPath\u003c/code\u003e volumes, and Linux capabilities. Successfully exploiting this vulnerability can result in a privileged pod running on the target node with the host root filesystem mounted. Patched versions of \u003ccode\u003elocal-path-provisioner\u003c/code\u003e include releases v0.0.34 and later. This issue is identified as CVE-2026-44543.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to the Kubernetes cluster.\u003c/li\u003e\n\u003cli\u003eAttacker obtains permission to edit the \u003ccode\u003elocal-path-config\u003c/code\u003e ConfigMap within the \u003ccode\u003elocal-path-storage\u003c/code\u003e namespace.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the \u003ccode\u003ehelperPod.yaml\u003c/code\u003e template within the \u003ccode\u003elocal-path-config\u003c/code\u003e ConfigMap to inject malicious configurations, such as setting \u003ccode\u003esecurityContext.privileged\u003c/code\u003e to \u003ccode\u003etrue\u003c/code\u003e or adding a \u003ccode\u003ehostPath\u003c/code\u003e volume mount.\u003c/li\u003e\n\u003cli\u003eAttacker triggers a PVC provisioning or cleanup operation, causing the \u003ccode\u003elocal-path-provisioner\u003c/code\u003e to load the modified \u003ccode\u003ehelperPod.yaml\u003c/code\u003e template.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003elocal-path-provisioner\u003c/code\u003e creates a HelperPod based on the attacker-controlled template.\u003c/li\u003e\n\u003cli\u003eThe malicious HelperPod is deployed on a node within the cluster, inheriting the injected privileges, such as privileged access or a host root filesystem mount.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the privileged HelperPod to access sensitive host files, read ServiceAccount tokens, or modify files on the host node.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges and potentially compromises the entire node or cluster.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain unauthorized access to sensitive host files, including ServiceAccount tokens from other pods residing on the same node. Attackers can also access other tenants\u0026rsquo; local-path volume data, potentially leading to data breaches and further lateral movement within the cluster. Modification of files on the host node can disrupt services and compromise the integrity of the system. The vulnerability, CVE-2026-44543, presents a significant risk to Kubernetes environments utilizing the Rancher local-path-provisioner.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003elocal-path-provisioner\u003c/code\u003e version v0.0.34 or later to incorporate the fix that validates the HelperPod template, mitigating the risk of injecting malicious configurations (reference: Patches section).\u003c/li\u003e\n\u003cli\u003eRestrict write access to the \u003ccode\u003elocal-path-config\u003c/code\u003e ConfigMap in the \u003ccode\u003elocal-path-storage\u003c/code\u003e namespace, ensuring that only trusted administrators can modify this ConfigMap (reference: Workarounds section).\u003c/li\u003e\n\u003cli\u003eMark the ConfigMap as immutable after deployment to prevent unauthorized modifications (reference: Workarounds section and example \u003ccode\u003ekubectl\u003c/code\u003e command).\u003c/li\u003e\n\u003cli\u003eEnable Kubernetes Pod Security Admission (PSA) for the \u003ccode\u003elocal-path-storage\u003c/code\u003e namespace, enforcing a security policy like \u003ccode\u003ebaseline\u003c/code\u003e to prevent privileged HelperPods from being created, even if the template is altered (reference: Workarounds section and example \u003ccode\u003ekubectl\u003c/code\u003e command).\u003c/li\u003e\n\u003cli\u003eMonitor Kubernetes audit logs for modifications to the \u003ccode\u003elocal-path-config\u003c/code\u003e ConfigMap in the \u003ccode\u003elocal-path-storage\u003c/code\u003e namespace, alerting on unexpected changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T16:18:00Z","date_published":"2026-05-11T16:18:00Z","id":"https://feed.craftedsignal.io/briefs/2026-05-local-path-provisioner-template-injection/","summary":"A malicious user with permission to edit the `local-path-config` ConfigMap in the `local-path-storage` namespace can manipulate the `helperPod.yaml` template used by `rancher/local-path-provisioner`. Security-sensitive fields such as `securityContext.privileged`, `hostPath` volumes, and Linux capabilities can be injected into the template, leading to a privileged pod running on the target node with the host root filesystem mounted.","title":"Rancher local-path-provisioner Vulnerable to HelperPod Template Injection (CVE-2026-44543)","url":"https://feed.craftedsignal.io/briefs/2026-05-local-path-provisioner-template-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Local-Path-Provisioner (\u003c 0.0.34)","version":"https://jsonfeed.org/version/1.1"}