CVE-2022-24817
CVE-2022-24817 is a critical-severity vulnerability in Fluxcd Flux2 with a CVSS 3.x base score of 9.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-94.
Key facts
- Severity: Critical (CVSS 3.x base score 9.9)
- CVSS v2: 6.5
- EPSS exploit prediction: 1% (60th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-94
- Affected product: Fluxcd Flux2
- Published:
- Last modified:
Description
Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also lead to privilege escalation if the controller's service account has elevated permissions. Workarounds include disabling functionality via Validating Admission webhooks by restricting users from setting the `spec.kubeConfig` field in Flux `Kustomization` and `HelmRelease` objects. Additional mitigations include applying restrictive AppArmor and SELinux profiles on the controller’s pod to limit what binaries can be executed. This vulnerability is fixed in kustomize-controller v0.23.0 and helm-controller v0.19.0, both included in flux2 v0.29.0
Frequently asked questions
- What is CVE-2022-24817?
- Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also lead to privilege escalation if the controller's service account has elevated permissions. Workarounds include disabling functionality via Validating Admission webhooks by restricting users from setting the `spec.kubeConfig` field in Flux `Kustomization` and `HelmRelease` objects. Additional mitigations include applying restrictive AppArmor and SELinux profiles on the controller’s pod to limit what binaries can be executed. This vulnerability is fixed in kustomize-controller v0.23.0 and helm-controller v0.19.0, both included in flux2 v0.29.0
- How severe is CVE-2022-24817?
- CVE-2022-24817 has a CVSS 3.x base score of 9.9, rated critical severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-24817 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (60th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-24817?
- CVE-2022-24817 primarily affects Fluxcd Flux2. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-24817?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2022-24817 published?
- CVE-2022-24817 was published on 2022-05-06 and last updated on 2026-06-17.
References
Affected products (3)
- cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*
- cpe:2.3:a:fluxcd:helm-controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:fluxcd:kustomize-controller:*:*:*:*:*:*:*:*
More vulnerabilities in Fluxcd Flux2
- CVE-2022-24877 — Critical (CVSS 9.9): Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller…
- CVE-2022-36049 — High (CVSS 7.7): Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-controller is a…
- CVE-2022-36035 — High (CVSS 7.7): Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and…
- CVE-2022-24878 — High (CVSS 7.7): Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller…
- CVE-2022-39272 — Medium (CVSS 5.0): Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a…
All CVEs affecting Fluxcd Flux2 →
Other CWE-94 (Code Injection) vulnerabilities
- CVE-2026-57624 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.46 versions.
- CVE-2026-10134 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read…
- CVE-2026-53576 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter…
- CVE-2026-10561 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined…
- CVE-2026-25470 — Critical (CVSS 10.0): Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin…
- CVE-2026-48836 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.