Cyber Posture

CVE-2026-29955

HighPublic PoC

Published: 13 April 2026

Published
13 April 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 44.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The `/registercrd` endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses `subprocess.Popen()` with `shell=True` parameter to execute shell commands, and the user-supplied `chartName` parameter is directly concatenated into the command string without any…

more

sanitization or validation. An attacker can inject arbitrary shell commands by crafting a malicious `chartName` parameter value.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of the user-supplied chartName parameter to block malicious shell command injection in the /registercrd endpoint.

SI-9 Information Input Restrictions good match
prevent

Enforces restrictions on inputs at the endpoint boundary to prevent unsanitized chartName values from enabling command injection.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the specific command injection flaw in the kubeconfiggenerator component's subprocess.Popen usage.

Security SummaryAI

CVE-2026-29955 is a command injection vulnerability affecting the `/registercrd` endpoint in the kubeconfiggenerator component of KubePlus version 4.14. The flaw arises because the component invokes `subprocess.Popen()` with the `shell=True` parameter to execute shell commands, directly concatenating the user-supplied `chartName` parameter into the command string without sanitization or validation. This was published on 2026-04-13 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-94 (Improper Control of Generation of Code).

An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity and no user interaction required. By crafting a malicious `chartName` value, the attacker injects arbitrary shell commands, potentially achieving high confidentiality, integrity, and availability impacts, such as executing unauthorized code on the host system running the kubeconfiggenerator.

Advisories and further details are documented in the provided references, including a GitHub Gist at https://gist.github.com/b0b0haha/f011fdd69adc3ae272a4e3b99af90163 and a GitHub repository README at https://github.com/b0b0haha/CVE-2026-29955/blob/main/README.md.

Details

CWE(s)
CWE-94

Affected Products

cloudark
kubeplus
≤ 4.2.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection via unsanitized user input to subprocess.Popen(shell=True) on a network-accessible /registercrd endpoint directly enables remote exploitation of a public-facing application (T1190) to achieve arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References