CVE-2026-32241: CVE-2026-32241: Command Injection in Flannel Experimental Extension Backend

CVE-2026-32241: Command Injection in Flannel Experimental Extension Backend Vulnerability ID: CVE-2026-32241 CVSS Score: 7.5 Published: 2026-03-27 Flannel versions prior to 0.28.2 contain a high-severity command injection vulnerability in the experimental Extension backend. Unsanitized Kubernetes Node annotations are passed directly to a system shell, permitting an attacker with node modification privileges to execute arbitrary commands with root permissions on the host. TL;DR The Flannel experimental Extension backend evaluates unsanitized node annotation data through a shell wrapper. Attackers with RBAC permissions to modify Node objects can inject shell commands, achieving root-level execution on the Kubernetes node. ⚠️ Exploit Status: POC Technical Details CWE ID : CWE-77 Attack Vector : Network Privileges Required : Low (Node Annotation Access) CVSS v3.1 Score : 7.5 (High) Exploit Status : Unauthenticated RCE (Host Root) Patched Version : v0.28.2 Affected Systems flannel-io/flanne