PatchSiren cyber security CVE debrief
CVE-2026-47190 metal3-io CVE debrief
CVE-2026-47190 is a vulnerability in IPAM, the IP address Manager for Cluster API Provider Metal3. The IPAM controller's ClusterRole granted excessive CRUD (create, delete, get, list, patch, update, watch) permissions on core/v1 Secrets. These excessive permissions could allow an attacker to read, modify, or delete Secrets in the namespace if the controller pod were compromised, potentially exposing credentials and other sensitive data. The issue was patched in versions 1.11.7, 1.12.4, and 1.13.0.
- Vendor
- metal3-io
- Product
- ip-address-manager
- CVSS
- MEDIUM 4.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Cluster API Provider Metal3 with IPAM versions prior to 1.11.7, 1.12.4, or 1.13.0 should update to a patched version to prevent potential unauthorized access to sensitive data.
Technical summary
The IPAM controller's ClusterRole had excessive permissions on core/v1 Secrets, allowing for full CRUD operations. This could be exploited if the controller pod were compromised, potentially leading to unauthorized access to sensitive data.
Defensive priority
Medium
Recommended defensive actions
- Update IPAM to version 1.11.7, 1.12.4, or 1.13.0 or later.
- Review and restrict ClusterRole permissions for IPAM controller.
- Monitor for suspicious activity related to Secret resources.
Evidence notes
The CVE was published on 2026-06-12T16:16:29.643Z and modified on 2026-06-12T16:24:31.187Z. The vulnerability has a CVSS score of 4.4 and is classified as MEDIUM severity.
Official resources
CVE-2026-47190 was published on 2026-06-12T16:16:29.643Z and modified on 2026-06-12T16:24:31.187Z.