H3-2026-0002¶
Kubernetes Nodes Proxy GET Permission Remote Code Execution
| Category | SECURITY_MISCONFIGURATION |
| Base Score | 8.8 |
Description¶
Service accounts with nodes/proxy GET permission can execute commands on pods via the Kubelet WebSocket API, bypassing standard Kubernetes RBAC exec restrictions.
Impact¶
An attacker with nodes/proxy GET permission can execute arbitrary commands in containers running on Kubernetes nodes.
References¶
- Kubernetes nodes/proxy GET RCE Technique
- KEP-2862: Fine-grained Kubelet API Authorization
- MITRE ATT&CK Technique: T1609: Container Administration Command
- MITRE ATT&CK Technique: T1068: Exploitation for Privilege Escalation
- MITRE ATT&CK Technique: T1562.006: Impair Defenses: Indicator Blocking
- MITRE ATT&CK Technique: T1550.001: Use Alternate Authentication Material: Application Access Token