{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/k8sgpt-ai/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["k8sgpt"],"_cs_severities":["high"],"_cs_tags":["prompt-injection","kubernetes","ai","vulnerability"],"_cs_type":"advisory","_cs_vendors":["k8sgpt-ai"],"content_html":"\u003cp\u003ek8sGPT is an open-source project that leverages AI to analyze and remediate Kubernetes cluster issues. A critical vulnerability exists in k8sGPT versions prior to 0.4.32, specifically within the k8sGPT-Operator component. The vulnerability stems from the auto-remediation pipeline in \u003ccode\u003eobject_to_execution.go\u003c/code\u003e, which deserializes AI-generated YAML directly into a Kubernetes Deployment object without adequate validation. This lack of validation allows for prompt injection, where malicious YAML payloads generated by the AI can overwrite or modify existing deployments in unexpected ways. This can be exploited by attackers to gain control over resources within the Kubernetes cluster by crafting malicious AI prompts to inject malicious code into deployment configurations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious prompt designed to generate YAML code that includes malicious configurations (e.g., mounting host volumes, privileged containers).\u003c/li\u003e\n\u003cli\u003eThe k8sGPT-Operator receives the prompt and uses its AI engine to generate a YAML manifest for a Kubernetes Deployment object.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eobject_to_execution.go\u003c/code\u003e component deserializes the AI-generated YAML manifest directly into a Kubernetes Deployment object.\u003c/li\u003e\n\u003cli\u003eDue to the lack of validation, the malicious configurations within the YAML manifest are not detected.\u003c/li\u003e\n\u003cli\u003eThe k8sGPT-Operator applies the modified Deployment object to the Kubernetes cluster via the Kubernetes API.\u003c/li\u003e\n\u003cli\u003eThe Kubernetes scheduler creates pods based on the compromised Deployment object, potentially executing malicious code within the cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the deployed pod, potentially escalating privileges to other resources within the cluster.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to inject arbitrary code into Kubernetes deployments, potentially leading to full cluster compromise. While the precise number of affected installations is unknown, any k8sGPT deployment prior to version 0.4.32 is susceptible. This could lead to data breaches, denial of service, or complete control over the Kubernetes environment. Organizations using k8sGPT for automated remediation should immediately upgrade to version 0.4.32 or later.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade k8sGPT to version 0.4.32 or later to patch the vulnerability (reference: Affected versions).\u003c/li\u003e\n\u003cli\u003eImplement additional validation of Deployment objects before applying them to the cluster to prevent malicious configurations (reference: Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect attempts to create privileged containers or mount sensitive host paths (reference: Sigma rule).\u003c/li\u003e\n\u003cli\u003eMonitor Kubernetes audit logs for suspicious activity related to Deployment object modifications (reference: Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T16:41:39Z","date_published":"2026-04-24T16:41:39Z","id":"/briefs/2026-04-k8sgpt-prompt-injection/","summary":"k8sGPT versions before 0.4.32 are vulnerable to prompt injection due to deserialization of AI-generated YAML without proper validation in the auto-remediation pipeline, potentially leading to arbitrary code execution within the Kubernetes cluster.","title":"k8sGPT Operator Vulnerable to Prompt Injection","url":"https://feed.craftedsignal.io/briefs/2026-04-k8sgpt-prompt-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — K8sgpt-Ai","version":"https://jsonfeed.org/version/1.1"}