Detections
Analytics

CVE-2026-25518

medium

Description

cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. In versions from 1.18.0 to before 1.18.5 and from 1.19.0 to before 1.19.3, the cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in denial‑of‑service (DoS) of the cert-manager controller. The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor. This issue has been patched in versions 1.18.5 and 1.19.3.

References

https://github.com/cert-manager/cert-manager/security/advisories/GHSA-gx3x-vq4p-mhhv

https://github.com/cert-manager/cert-manager/pull/8469

https://github.com/cert-manager/cert-manager/pull/8468

https://github.com/cert-manager/cert-manager/pull/8467

https://github.com/cert-manager/cert-manager/commit/d4faed26ae12115cceb807cdc12507ebc28980e2

https://github.com/cert-manager/cert-manager/commit/9a73a0b3853035827edd37ac463e4803ba10327d

https://github.com/cert-manager/cert-manager/commit/409fc24e539711a07aae45ed45abbe03dfdad2cc

Details

Source: Mitre, NVD

Published: 2026-02-04

Updated: 2026-02-05

Risk Information

CVSS v2

Base Score: 5.4

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:C

Severity: Medium

CVSS v3

Base Score: 5.9

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: Medium

EPSS

EPSS: 0.00041