CVE-2026-44543: CWE-269: Improper Privilege Management in rancher local-path-provisioner
Local Path Provisioner provides a way for the Kubernetes users to utilize the local storage in each node. Prior to 0.0.36, a malicious user with permission to edit the local-path-config ConfigMap in the local-path-storage namespace can manipulate the helperPod.yaml template used by rancher/local-path-provisioner. The helperPod.yaml template is loaded by the provisioner and used to create HelperPods during PVC provisioning and cleanup operations. However, the template is not sufficiently validated before use. Security-sensitive fields such as securityContext.privileged, hostPath volumes, and Linux capabilities can be injected into the template. When a PVC operation triggers HelperPod creation, the provisioner creates the HelperPod using the attacker-controlled template. This can result in a privileged pod running on the target node with the host root filesystem mounted. This may allow the attacker to access sensitive host files, read ServiceAccount tokens from other pods on the same node, access other tenants' local-path volume data, or modify files on the host node. This vulnerability is fixed in 0.0.36.
AI Analysis
Technical Summary
The local-path-provisioner component in rancher Kubernetes environments uses a helperPod.yaml template to create HelperPods for persistent volume claim provisioning and cleanup. Prior to version 0.0.36, this template could be manipulated by a user with edit permissions on the local-path-config ConfigMap in the local-path-storage namespace. The template lacked sufficient validation, allowing injection of security-sensitive fields such as privileged securityContext, hostPath volumes, and Linux capabilities. When the provisioner creates a HelperPod from this attacker-controlled template, it results in a privileged pod running on the node with the host root filesystem mounted. This can lead to unauthorized access to host files, ServiceAccount tokens, and other tenants' local-path volume data, or modification of host files. The issue is addressed by fixing the validation in version 0.0.36.
Potential Impact
An attacker with permission to edit the local-path-config ConfigMap can escalate privileges by causing the creation of privileged pods with host filesystem access. This compromises host security by exposing sensitive files, ServiceAccount tokens, and data belonging to other tenants. The vulnerability can lead to significant confidentiality and integrity breaches on affected Kubernetes nodes.
Mitigation Recommendations
This vulnerability is fixed in local-path-provisioner version 0.0.36. Users should upgrade to version 0.0.36 or later to remediate this issue. Patch status is not explicitly confirmed by a vendor advisory in the provided data, but the description states the fix is included in version 0.0.36. Until upgraded, restrict permissions to edit the local-path-config ConfigMap to trusted users only.
CVE-2026-44543: CWE-269: Improper Privilege Management in rancher local-path-provisioner
Description
Local Path Provisioner provides a way for the Kubernetes users to utilize the local storage in each node. Prior to 0.0.36, a malicious user with permission to edit the local-path-config ConfigMap in the local-path-storage namespace can manipulate the helperPod.yaml template used by rancher/local-path-provisioner. The helperPod.yaml template is loaded by the provisioner and used to create HelperPods during PVC provisioning and cleanup operations. However, the template is not sufficiently validated before use. Security-sensitive fields such as securityContext.privileged, hostPath volumes, and Linux capabilities can be injected into the template. When a PVC operation triggers HelperPod creation, the provisioner creates the HelperPod using the attacker-controlled template. This can result in a privileged pod running on the target node with the host root filesystem mounted. This may allow the attacker to access sensitive host files, read ServiceAccount tokens from other pods on the same node, access other tenants' local-path volume data, or modify files on the host node. This vulnerability is fixed in 0.0.36.
CVSS v3.1
Score 8.7high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The local-path-provisioner component in rancher Kubernetes environments uses a helperPod.yaml template to create HelperPods for persistent volume claim provisioning and cleanup. Prior to version 0.0.36, this template could be manipulated by a user with edit permissions on the local-path-config ConfigMap in the local-path-storage namespace. The template lacked sufficient validation, allowing injection of security-sensitive fields such as privileged securityContext, hostPath volumes, and Linux capabilities. When the provisioner creates a HelperPod from this attacker-controlled template, it results in a privileged pod running on the node with the host root filesystem mounted. This can lead to unauthorized access to host files, ServiceAccount tokens, and other tenants' local-path volume data, or modification of host files. The issue is addressed by fixing the validation in version 0.0.36.
Potential Impact
An attacker with permission to edit the local-path-config ConfigMap can escalate privileges by causing the creation of privileged pods with host filesystem access. This compromises host security by exposing sensitive files, ServiceAccount tokens, and data belonging to other tenants. The vulnerability can lead to significant confidentiality and integrity breaches on affected Kubernetes nodes.
Mitigation Recommendations
This vulnerability is fixed in local-path-provisioner version 0.0.36. Users should upgrade to version 0.0.36 or later to remediate this issue. Patch status is not explicitly confirmed by a vendor advisory in the provided data, but the description states the fix is included in version 0.0.36. Until upgraded, restrict permissions to edit the local-path-config ConfigMap to trusted users only.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-06T19:38:10.567Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1871ece29bf47b50124581
Added to database: 5/28/2026, 4:48:44 PM
Last enriched: 5/28/2026, 5:03:47 PM
Last updated: 5/29/2026, 3:24:19 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.