Flannel versions prior to 0.28.2 contain a command injection vulnerability (CWE-77) in the experimental Extension backend. This backend processes Kubernetes Node annotations that can be controlled by an attacker with limited privileges. The vulnerability occurs because the backend unmarshals the 'flannel.alpha.coreos.com/backend-data' annotation and pipes its content directly to shell commands (SubnetAddCommand and SubnetRemoveCommand) without validation, enabling root-level arbitrary command execution on all flannel nodes in the cluster. Other backends like vxlan and wireguard are unaffected. The vulnerability is addressed in Flannel 0.28.2, and users are advised to upgrade or switch to a different backend.

Successful exploitation allows an attacker who can modify Kubernetes Node annotations to execute arbitrary commands with root privileges on every flannel node in the cluster. This can lead to full compromise of the affected nodes, impacting confidentiality, integrity, and availability of the cluster's network fabric. The vulnerability affects only the experimental Extension backend and not other backends such as vxlan or wireguard.

A fix is available in Flannel version 0.28.2. Users should upgrade to this version to remediate the vulnerability. As an alternative workaround, users can switch to other Flannel backends like vxlan or wireguard, which are not affected by this issue. Patch status is confirmed fixed in version 0.28.2.