CVE-2020-8554

1 minute read

CVE-2020-8554 describes a traffic interception risk in Kubernetes service handling. An actor with permissions to create or update Service resources can abuse spec.externalIPs or status.loadBalancer.ingress.ip to redirect traffic.

Scope

Clusters that allow untrusted tenants to create or update Service objects are affected.

Prevention

Restrict who can create or update Service resources.
Restrict or deny untrusted ExternalIPs usage through admission policy.
Audit and monitor changes to Service status updates, especially LoadBalancer ingress IP updates.

Fixed by KLTS

v1.19.16-lts.3 CVE-2020-8554.1.19.patch
v1.18.20-lts.3 CVE-2020-8554.1.18.patch

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified April 15, 2026 : docs: add CVE-2020-8554 patch pages (70e8f5ca)