Cve-2020-8558 Jun 2026

In default Kubernetes setups, kube-proxy listens on 0.0.0.0 (all interfaces) for specific ports to serve health checks and metrics. The vulnerability stems from how kube-proxy handles traffic when the --cluster-cidr flag is not configured correctly or when it assumes that traffic arriving at the node's IP belongs to the cluster network.

CVE-2020-8558 is a vulnerability in the Kubernetes API server that allows an attacker to make requests to the API server using a compromised service account. The vulnerability exists because the API server does not properly validate the authentication credentials of a service account when handling certain types of requests. This means that if an attacker can create or modify a service account and its corresponding tokens, they can use these credentials to make API requests as if they were made by the service account. cve-2020-8558

# On each node cat /proc/sys/net/ipv4/conf/all/route_localnet # Returns 1 → risky In default Kubernetes setups, kube-proxy listens on 0

The following versions of Kubernetes are affected by CVE-2020-8558: The vulnerability exists because the API server does

with authentication (e.g., kubelet --anonymous-auth=false ).

: Other local services, such as health checks or metadata APIs, may expose sensitive configuration data or secrets. Affected Versions

To check if your cluster is vulnerable:

HOT TOPICS:

×