ZeroPath at Black Hat USA 2026

OpenShift Router CVE-2026-42965: Cloud Metadata SSRF via FQDN EndpointSlice Bypass — Quick Look

A brief summary of CVE-2026-42965, a high severity SSRF vulnerability in the OpenShift Router that allows users with EndpointSlice write access to bypass IP validation by using FQDN typed endpoints that resolve to cloud metadata addresses, potentially exposing instance credentials.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-29

OpenShift Router CVE-2026-42965: Cloud Metadata SSRF via FQDN EndpointSlice Bypass — Quick Look
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A bypass of a five year old security fix in the Kubernetes EndpointSlice validation logic now allows authenticated users to route OpenShift Router traffic directly to cloud metadata endpoints, potentially exposing IAM credentials and sensitive instance metadata. The vulnerability, tracked as CVE-2026-42965, sidesteps the IP address validation introduced for CVE-2021-25737 by using FQDN typed EndpointSlice objects that resolve at runtime to restricted addresses like 169.254.169.254.

What makes this particularly noteworthy is that AWS IMDSv2, widely considered the standard defense against cloud metadata SSRF, does not mitigate this issue. The OpenShift Router's HAProxy process runs as a hostNetwork Pod at Layer 7, giving it direct access to the host network stack and allowing it to satisfy IMDSv2's token retrieval requirements without triggering the hop count protection.

Technical Information

Root Cause: Incomplete Input Validation Across Address Types

The OpenShift Router uses HAProxy to route external traffic to Services within the cluster. When a Service is backed by an EndpointSlice, the Router reads the endpoint addresses and proxies traffic to them. The EndpointSlice API (discovery.k8s.io/v1) supports three endpoint address types: IPv4, IPv6, and FQDN (Fully Qualified Domain Name).

The original vulnerability, CVE-2021-25737, allowed users to create EndpointSlice objects with IP addresses in the localhost (127.0.0.0/8) or link local range (169.254.0.0/16), enabling traffic hijacking to private networks on a node. The fix introduced ValidateNonSpecialIP(), which checks whether an IP is a loopback, link local, or local multicast address. However, this validation only covers IPv4 and IPv6 address types. It does not validate FQDN typed endpoints.

CVE-2026-42965 exploits this gap. An attacker creates an FQDN typed EndpointSlice where the hostname resolves via DNS to a cloud metadata IP address (e.g., 169.254.169.254 on AWS, or equivalent endpoints on Azure and GCP). Since the Router resolves the FQDN at runtime and proxies traffic to the resolved IP, the ValidateEndpointIP() check is never invoked. The Router then forwards requests to the cloud metadata endpoint, enabling the attacker to retrieve instance credentials and other sensitive metadata.

Attack Flow

Exploitation of CVE-2026-42965 follows this sequence:

  1. Prerequisite: Obtain EndpointSlice write access. The attacker must have RBAC permissions to create or modify EndpointSlice objects in the cluster. This could be through a compromised service account, overly permissive role bindings, or insider access.

  2. Create a DNS record. The attacker registers or controls a domain name that resolves to 169.254.169.254 (or another cloud metadata IP). This is trivial; any attacker controlled DNS zone can be configured to return the metadata endpoint IP for a chosen hostname.

  3. Create an FQDN typed EndpointSlice. The attacker creates an EndpointSlice object with addressType: FQDN and sets the endpoint address to the attacker controlled hostname. A corresponding Service is created to back this EndpointSlice.

  4. Create a Route (or Ingress) pointing to the Service. The attacker creates an OpenShift Route that directs traffic through the Router to the Service backed by the malicious EndpointSlice.

  5. Send requests through the Router. When the Router processes incoming requests for this Route, HAProxy resolves the FQDN to 169.254.169.254 and proxies the request to the cloud metadata endpoint. The response, containing instance credentials and metadata, is returned to the attacker.

Why IMDSv2 Fails to Protect

AWS introduced IMDSv2 to defend against SSRF attacks by requiring a PUT request to obtain a session token before metadata can be retrieved. The protection relies on a hop count limit of 1, which prevents requests from traversing network boundaries (such as container network namespaces).

However, the OpenShift Router's HAProxy process runs as a hostNetwork Pod. Because it shares the host's network namespace, it operates at Layer 7 with direct access to the host network. The HAProxy process can make the initial PUT request to obtain the IMDSv2 token and subsequently use it to retrieve metadata. The hop count protection is never triggered because the request originates from the host network itself, not from across a network boundary.

This finding has implications beyond OpenShift: any Kubernetes component running as hostNetwork that can be induced to make outbound HTTP requests may be similarly capable of bypassing IMDSv2.

Comparison with CVE-2021-25737

AttributeCVE-2021-25737CVE-2026-42965
Componentkube-apiserver EndpointSlice validationOpenShift Router (HAProxy)
Endpoint TypeIPv4/IPv6 addresses in restricted rangesFQDN resolving to restricted IPs
Bypassed ControlNone (original gap)ValidateEndpointIP() from CVE-2021-25737 fix
CVSS (NVD)8.87.7
IMDSv2 MitigationPartially effectiveNOT effective (HAProxy hostNetwork at L7)
Default Cloud ExposureBroader (kube-apiserver)Limited (requires HostNetwork publishing)

Attack Prerequisites

The exploitation requires three conditions to be met simultaneously:

  1. EndpointSlice write access: The attacker must have RBAC permissions to create or modify EndpointSlice objects.

  2. HostNetwork endpoint publishing: The IngressController must be configured to use HostNetwork endpoint publishing strategy. This is the default on bare metal and User Provisioned Infrastructure (UPI) installations, but it is NOT the default on cloud provider installations (AWS, Azure, GCP), where the Router typically runs behind a load balancer.

  3. Cloud deployment with metadata service: The cluster must be running on a cloud provider that exposes a metadata service at a well known IP address. On bare metal or on premises deployments, there is typically no metadata endpoint to target, though internal services could still be reached via similar techniques.

CWE Classification

This vulnerability is classified under CWE-918 (Server-Side Request Forgery), which is ranked #22 on the 2025 CWE Top 25 Most Dangerous Software Weaknesses. The pattern is textbook SSRF: the server receives a request (the FQDN), resolves it to an unintended destination (the metadata endpoint), and proxies the request without verifying that the resolved destination is acceptable.

Affected Systems and Versions

Based on the available source materials, the affected component is openshift/router. The vulnerability affects OpenShift Container Platform deployments where:

  • The IngressController uses HostNetwork endpoint publishing strategy (the default on bare metal and UPI deployments)
  • The cluster runs on a cloud provider with an accessible metadata service (AWS, Azure, GCP)

Cloud provider managed OpenShift installations (such as AWS ROSA, Azure ARO) use load balancer based endpoint publishing by default and are NOT vulnerable in their default configuration.

No specific affected version numbers or version ranges have been published in the Bugzilla entry or Red Hat CVE page as of 2026-05-29. The Bugzilla status remains NEW with no "Fixed In Version" field populated.

Vendor Security History

Red Hat has a structured CVE response process and maintains a dedicated Product Security team. However, the OpenShift platform has experienced several notable security issues:

  • CVE-2021-25737: The original EndpointSlice SSRF vulnerability in Kubernetes that allowed IP addresses in restricted ranges. This was patched via RHSA-2021:2437. CVE-2026-42965 is a direct bypass of that fix.

  • CVE-2024-45496 and CVE-2024-7387: Critical vulnerabilities in OpenShift flagged by CERT-EU that allowed attackers to escalate privileges or execute arbitrary code.

The pattern here is worth noting. The fix for CVE-2021-25737 addressed one input channel (IP addresses) but left another (FQDNs) unvalidated. This is a recurring theme in security engineering: partial fixes that address the specific reported attack vector without considering adjacent input types that could achieve the same result.

Red Hat has assigned CVE-2026-42965 a severity and priority of HIGH. Based on the precedent set by CVE-2021-25737, which was patched within months of disclosure via RHSA-2021:2437, we can expect Red Hat to prioritize a fix, though no timeline has been communicated.

Mitigation Strategies

Since no patch is available as of 2026-05-29, organizations should consider the following configuration based mitigations:

Restrict EndpointSlice write access via RBAC. Audit and tighten RBAC permissions so that only trusted users and service accounts can create or modify EndpointSlice objects. This directly reduces the attack surface by limiting who can create the malicious objects.

Deploy a validating admission webhook. A validating admission webhook using Open Policy Agent (OPA) can be configured to reject EndpointSlice objects that contain FQDN typed endpoints. The Sysdig blog on CVE-2021-25737 provides an example OPA Rego policy that validates EndpointSlice addresses against restricted IP ranges. This approach should be extended to also resolve and validate FQDN typed endpoints before admission.

Apply network policies to restrict Router egress. Network policies can be used to block egress traffic from the Router namespace to cloud metadata subnets (169.254.169.254/32 on AWS, and equivalent endpoints on Azure and GCP).

Avoid HostNetwork endpoint publishing on cloud deployments. Since the attack requires the IngressController to use HostNetwork endpoint publishing, cloud deployments should verify they are using the default load balancer based endpoint publishing strategy. If HostNetwork is in use on a cloud deployment, evaluate whether switching to load balancer based publishing is feasible.

Monitor Red Hat security advisories. Track the Red Hat Security Updates page and the Bugzilla entry for patch availability.

Threat Intelligence

As of 2026-05-29, there are no confirmed reports of CVE-2026-42965 being actively exploited in the wild. Recent Red Hat security advisories for OpenShift Container Platform explicitly note that there are no known exploits for the vulnerabilities they address.

However, the broader SSRF to cloud metadata attack pattern is well established and actively used by threat actors. Resecurity has documented how attackers exploit SSRF to access the AWS EC2 Instance Metadata Service at 169.254.169.254 to retrieve temporary IAM credentials. F5 Labs has reported on campaigns specifically targeting Amazon EC2 instance metadata via SSRF. Orca Security has documented SSRF attacks targeting Oracle Cloud metadata services.

No specific threat actors have been identified as targeting CVE-2026-42965. The attack requires authenticated access with EndpointSlice write permissions, which limits the threat to actors who have already gained a foothold in the cluster or have insider access. That said, the SSRF to cloud metadata pattern is well understood by both offensive and defensive practitioners, meaning proof of concept development could proceed rapidly once the vulnerability details are widely known.

The divergence between the NVD CVSS score (7.7) and the Red Hat score (8.6) reflects differing assessments of the attack prerequisites and impact. Red Hat's higher score likely accounts for the severity of cloud credential exposure, while NVD may weigh the limited attack surface (HostNetwork requirement, authenticated access) more heavily. Organizations should assess their own exposure based on their IngressController configuration and cloud deployment model rather than relying solely on CVSS scores.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization