Datadog Security Labs detailed CVE-2020-8561, an unpatchable Kubernetes weakness that can turn the kube-apiserver into a high-impact server-side request forgery (SSRF) proxy. An attacker with valid Kubernetes credentials and elevated privileges, typically cluster-admin, can abuse a ValidatingWebhookConfiguration object to make the API server send requests to attacker-controlled or internal destinations. By combining that behavior with profiling-enabled log-level changes, the attacker can cause the API server to log full responses from those privileged network requests rather than merely confirming whether a port is reachable.
The issue is most dangerous when the Kubernetes control plane sits in a more trusted network segment than worker nodes, including managed Kubernetes environments hosted inside cloud provider networks. Because there is no straightforward code fix, defenders are being urged to reduce exposure through configuration and architecture changes, notably disabling API server profiling with:
--profiling=false
and ensuring that SSRF originating from the API server cannot reach sensitive internal services or metadata endpoints.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Datadog Security Labs published an analysis showing how CVE-2020-8561 can be chained with profiling-enabled log-level changes to expose full responses from privileged network requests made by the Kubernetes API server. The report recommended disabling API server profiling and limiting control-plane network reachability to reduce impact.
Kubernetes documented CVE-2020-8561 for a vulnerability in which an authenticated user with sufficient privileges can abuse a ValidatingWebhookConfiguration to trigger server-side requests from the kube-apiserver. The issue was recognized as effectively unpatchable because it stems from intended API server behavior rather than a simple code flaw.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
1 reference tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.