CVE-2026-47190

MEDIUM 4.4

IPAM controller service account granted unnecessary full access to Secrets

CVSS Score

4.4

EPSS Score

0.0%

EPSS Percentile

9th

IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were compromised (e.g. via supply chain attack or container escape), an attacker could leverage these excessive permissions to read, modify, or delete Secrets in the namespace, potentially exposing credentials and other sensitive data. This issue has been patched in versions 1.11.7, 1.12.4, and 1.13.0.

CWE	CWE-250
Vendor	metal3-io
Product	ip-address-manager
Published	Jun 12, 2026

Stay Ahead of the Next One

Get instant alerts for metal3-io ip-address-manager

Be the first to know when new medium vulnerabilities affecting metal3-io ip-address-manager are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

metal3-io / ip-address-manager

< 1.11.7 < 1.12.4 < 1.13.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/metal3-io/ip-address-manager/security/advisories/GHSA-49pm-43hf-6xfq github.com: https://github.com/metal3-io/ip-address-manager/pull/1355 github.com: https://github.com/metal3-io/ip-address-manager/pull/1356 github.com: https://github.com/metal3-io/ip-address-manager/pull/1357