Flannel is a popular network fabric solution used in Kubernetes environments to provide overlay networking for containerized workloads. The vulnerability CVE-2026-32241 affects the experimental Extension backend of Flannel versions prior to 0.28.2. This backend allows users to prototype new backend types and relies on Kubernetes Node annotations to receive configuration data. Specifically, the SubnetAddCommand and SubnetRemoveCommand functions read data from the flannel.alpha.coreos.com/backend-data annotation, unmarshalling it and then piping it directly into shell commands without any validation or sanitization. This improper neutralization of special elements (CWE-77) leads to command injection, enabling an attacker who can modify Node annotations to execute arbitrary commands with root privileges on every node running Flannel in the cluster. Since Kubernetes Node annotations can be modified by users with certain cluster privileges, this vulnerability effectively escalates privileges and compromises the entire cluster’s node security. The vulnerability does not affect other Flannel backends such as vxlan or wireguard. The issue was publicly disclosed on March 27, 2026, with a CVSS 3.1 base score of 7.5, indicating high severity. No public exploits have been reported yet. The fix was introduced in Flannel version 0.28.2, which properly sanitizes input and prevents command injection. As a workaround, users can switch to unaffected backends until they upgrade.

The impact of CVE-2026-32241 is significant for organizations running Kubernetes clusters with Flannel using the experimental Extension backend. Successful exploitation allows attackers with limited privileges (ability to set Node annotations) to gain root-level command execution on all nodes running Flannel, leading to full compromise of the cluster’s underlying infrastructure. This can result in data breaches, lateral movement within the cluster, disruption of container workloads, and potential persistence mechanisms. The vulnerability affects the confidentiality, integrity, and availability of the cluster environment. Given Kubernetes’ widespread use in cloud-native deployments, this vulnerability could disrupt critical business applications and services. Although no exploits are known in the wild yet, the ease of exploitation (no user interaction required, network accessible) and the scope (all nodes in the cluster) make this a high-risk issue. Organizations relying on the Extension backend face elevated risk of cluster-wide compromise if not remediated promptly.

1. Upgrade Flannel to version 0.28.2 or later immediately to apply the official fix that sanitizes input and prevents command injection. 2. If upgrading is not immediately feasible, switch to a non-vulnerable backend such as vxlan or wireguard to eliminate exposure. 3. Restrict permissions to modify Kubernetes Node annotations to trusted administrators only, minimizing the risk of unauthorized annotation changes. 4. Implement Kubernetes Role-Based Access Control (RBAC) policies to tightly control who can edit Node annotations. 5. Monitor Kubernetes audit logs for suspicious annotation changes, especially to flannel.alpha.coreos.com/backend-data. 6. Employ runtime security tools to detect anomalous command execution on nodes running Flannel. 7. Regularly scan clusters for usage of the vulnerable Extension backend and track Flannel versions deployed. 8. Educate cluster operators about this vulnerability and the risks of using experimental backends in production environments.