Kube-router is a Kubernetes networking solution that integrates routing, network policy enforcement, and service proxying. In versions prior to 2.8.0, the proxy module fails to properly validate externalIPs and loadBalancer IPs before programming them into the node's network stack. This improper access control vulnerability (CWE-284) allows an attacker with privileges to create or modify Kubernetes services to specify arbitrary external IP addresses. Because these IPs are programmed directly into the node's network configuration without validation, an attacker can redirect or disrupt network traffic, potentially causing denial of service or interfering with legitimate network operations. The vulnerability does not expose confidential data but compromises the integrity and availability of network services. The CVSS 3.1 score is 7.1 (high), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and impact on integrity and availability. The vulnerability was reserved on 2026-03-11 and published on 2026-03-18. The vendor patched the issue in kube-router 2.8.0. Workarounds include enabling the DenyServiceExternalIPs feature gate to block external IPs, deploying admission control policies to restrict service creation, limiting RBAC permissions for service creation, monitoring service changes for suspicious activity, and applying BGP prefix filtering to control route advertisements. No known exploits have been reported in the wild, but the vulnerability's nature and ease of exploitation make it a significant risk for Kubernetes clusters using affected kube-router versions.

This vulnerability primarily impacts the integrity and availability of Kubernetes cluster networking. Attackers with limited privileges can manipulate network configurations by injecting arbitrary external IP addresses, potentially redirecting traffic, causing denial of service, or disrupting cluster communications. This can lead to service outages, degraded application performance, or network instability. Organizations relying on kube-router for Kubernetes networking, especially in production environments, face risks of operational disruption and potential cascading failures in microservices architectures. While confidentiality is not directly affected, the disruption of network services can impact business continuity and customer trust. The vulnerability's exploitation requires privileges to create or modify services, which may be attainable in multi-tenant or poorly secured clusters. Given the widespread adoption of Kubernetes and cloud-native technologies, the potential impact is significant, especially for enterprises running critical workloads on clusters using vulnerable kube-router versions.

1. Upgrade kube-router to version 2.8.0 or later, which contains the official patch for this vulnerability. 2. Enable the DenyServiceExternalIPs feature gate in Kubernetes to prevent services from specifying external IPs unless explicitly allowed. 3. Implement strict admission control policies that validate and restrict service creation and modification, ensuring only authorized users can create services with external IPs. 4. Restrict RBAC permissions to limit which users or service accounts can create or modify services, minimizing the attack surface. 5. Continuously monitor Kubernetes service resources for unexpected changes to externalIPs or loadBalancer IPs, using automated alerting to detect suspicious activity. 6. Apply BGP prefix filtering on network routers to control and validate route advertisements, preventing unauthorized IP prefixes from being propagated. 7. Conduct regular security audits and penetration testing focused on Kubernetes networking configurations and RBAC policies. 8. Educate cluster administrators and DevOps teams about this vulnerability and best practices for secure Kubernetes networking.