{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29954", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-30T18:42:18.548Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-30T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T16:25:36.231Z"}, "descriptions": [{"lang": "en", "value": "In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address. More critically, when kubeconfiggenerator uses wget to download charts, the chartURL is directly concatenated into the command, allowing attackers to inject wget's `--header` option to achieve arbitrary HTTP header injection."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://gist.github.com/b0b0haha/33baea60fd2a847f11f1fb02e43c64c0"}, {"url": "https://github.com/b0b0haha/CVE-2026-29954/blob/main/README.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-88", "lang": "en", "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T18:40:31.139944Z", "id": "CVE-2026-29954", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:42:18.548Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29954", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T18:40:31.139944Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:39:20.851Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://gist.github.com/b0b0haha/33baea60fd2a847f11f1fb02e43c64c0"}, {"url": "https://github.com/b0b0haha/CVE-2026-29954/blob/main/README.md"}], "descriptions": [{"lang": "en", "value": "In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address. More critically, when kubeconfiggenerator uses wget to download charts, the chartURL is directly concatenated into the command, allowing attackers to inject wget's `--header` option to achieve arbitrary HTTP header injection."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T16:25:36.231Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29954", "state": "PUBLISHED", "dateUpdated": "2026-03-30T18:42:18.548Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-30T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address. More critically, when kubeconfiggenerator uses wget to download charts, the chartURL is directly concatenated into the command, allowing attackers to inject wget's `--header` option to achieve arbitrary HTTP header injection."}, {"lang": "es", "value": "En KubePlus 4.1.4, los componentes mutating webhook y kubeconfiggenerator tienen una vulnerabilidad SSRF al procesar el campo chartURL de los recursos ResourceComposition. El campo solo est\u00e1 codificado en URL sin validar la direcci\u00f3n de destino. M\u00e1s cr\u00edticamente, cuando kubeconfiggenerator utiliza wget para descargar charts, la chartURL se concatena directamente en el comando, permitiendo a los atacantes inyectar la opci\u00f3n --header de wget para lograr la inyecci\u00f3n arbitraria de encabezados HTTP."}], "id": "CVE-2026-29954", "lastModified": "2026-04-01T14:24:21.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-30T17:16:15.867", "references": [{"source": "cve@mitre.org", "url": "https://gist.github.com/b0b0haha/33baea60fd2a847f11f1fb02e43c64c0"}, {"source": "cve@mitre.org", "url": "https://github.com/b0b0haha/CVE-2026-29954/blob/main/README.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}, {"lang": "en", "value": "CWE-918"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-30T20:53:16.476381+00:00", "value": {"mitigation_remediation": ["Acquire and install an updated KubePlus release that addresses the chartURL validation failure when available.", "If no patch exists, temporarily disable the mutating webhook and kubeconfiggenerator components until remediation is applied.", "Configure network segmentation or firewall rules to restrict outbound traffic from the KubePlus service so it cannot reach sensitive internal services or arbitrary external URLs.", "Implement monitoring to detect and alert on unexpected outbound HTTP requests or abnormal header values originating from KubePlus pods."], "summary": {"action": "Apply Patch", "impact": "SSRF and HTTP header injection"}, "threat_synthesis": {"affected_systems": "Only KubePlus 4.1.4 is listed as affected. No other vendors or product versions are disclosed in the available data.", "description_and_impact": "The flaw exists in KubePlus version 4.1.4, where the mutating webhook and kubeconfiggenerator components process the chartURL field of ResourceComposition resources without proper validation. The value is only URL\u2011encoded, allowing an attacker to craft a request that forces the system to make an outbound HTTP call to an arbitrary internal or external destination. In addition, the kubeconfiggenerator concatenates the chartURL into a wget command, which lets an attacker inject the --header option and add arbitrary HTTP headers to the request. This combination permits server\u2011side request forgery and header spoofing, potentially exposing internal services or redirecting traffic.", "risk_and_exploitability": "With a CVSS score of 7.6, the vulnerability is classified as high severity. Exploitation requires the ability to create or modify a ResourceComposition object through the Kubernetes API, which typically demands cluster\u2011level permissions or compromised credentials. Once an attacker gains that access, they can direct KubePlus to reach any network endpoint the pod can access and manipulate the HTTP request headers, leading to data leakage, unauthorized service access, or downstream request forgery. The ease of exploitation stems from the lack of input validation and the direct usage of the supplied URL in shell commands. The exploit probability is not provided, and the vulnerability is not listed in the official known exploited vulnerabilities catalog."}}}}, "created": "2026-03-30T20:56:28.781292+00:00", "title": "SSRF and HTTP Header Injection in KubePlus 4.1.4", "updated": "2026-03-30T20:56:28.781320+00:00", "vendors": []}