# [CRIT] [GHSA / CRITICAL] CVE-2026-44182: Jupyter Enterprise Gateway: Kubernetes Manifest Injection in Jinja2 Template Rendering **Source:** GitHub Security Advisories **Published:** 2026-06-03 **Article:** https://github.com/advisories/GHSA-cfw7-6c5v-2wjq ## Threat Profile Jupyter Enterprise Gateway: Kubernetes Manifest Injection in Jinja2 Template Rendering ### Summary The environment variables used during the rendering of the Kubernetes manifest allow YAML injection, enabling attackers to overwrite existing keys like `securityContext` and inject multi-document YAML to create additional unintended Kubernetes resources. ### Details The server interpolates untrusted environment variables (e.g., `KERNEL_XXX`) into Kubernetes manifests without YAML-aware escaping… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-44182` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1059** — Command and Scripting Interpreter - **T1611** — Escape to Host - **T1068** — Exploitation for Privilege Escalation ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Jupyter Enterprise Gateway /api/kernels POST with KERNEL_* YAML-injection payload `UC_133_2` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_method="POST" Web.url="*/api/kernels*" by Web.src, Web.dest, Web.url, Web.http_user_agent, Web.status | `drop_dm_object_name(Web)` | join type=inner src dest [ search (sourcetype=nginx:plus:access OR sourcetype=ingress:nginx OR sourcetype=kube:container:enterprise-gateway OR sourcetype=istio:envoy:access) "/api/kernels" "KERNEL_" ("---" OR "..." OR "securityContext" OR "runAsUser" OR "fsGroup" OR "privileged") | table _time src dest _raw ] | convert ctime(firstTime) ctime(lastTime) | table firstTime, lastTime, src, dest, url, http_user_agent, status ``` **Defender KQL:** ```kql // Endpoint-tier visibility only — looks for outbound connections from a host to the EG service // where the EG ingress is reachable internally; pair with WAF/ingress body inspection in Sentinel. DeviceNetworkEvents | where Timestamp > ago(7d) | where RemotePort in (31529, 8888, 8889, 8443) | where RemoteUrl has "/api/kernels" or AdditionalFields has "/api/kernels" | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessAccountName | order by Timestamp desc ``` ### Privileged or root pod created by Jupyter Enterprise Gateway ServiceAccount `UC_133_3` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl search (sourcetype=kube:apiserver:audit OR sourcetype="aws:cloudwatchlogs:eks" OR sourcetype="aks:audit" OR sourcetype="gcp:gke:audit") verb=create "objectRef.resource"=pods stage=ResponseComplete ("user.username"=*enterprise-gateway* OR "user.username"="system:serviceaccount:enterprise-gateway:enterprise-gateway*" OR "impersonatedUser.username"=*enterprise-gateway*) ("\"privileged\":true" OR "\"runAsUser\":0" OR "\"runAsGroup\":0" OR "\"hostNetwork\":true" OR "\"hostPID\":true" OR "hostPath") | spath input=_raw | eval podName=coalesce('objectRef.name','requestObject.metadata.name'), ns='objectRef.namespace', sa='user.username' | stats min(_time) as firstTime max(_time) as lastTime values(podName) as podName values(ns) as namespace values(sourceIPs{}) as src by sa, host | convert ctime(firstTime) ctime(lastTime) | where mvcount(podName) >= 1 ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-44182: Jupyter Enterprise Gateway: Kubernetes Manifes `UC_133_1` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-44182: Jupyter Enterprise Gateway: Kubernetes Manifes ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("launch_kubernetes.py")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/home/jovyan*" OR Filesystem.file_name IN ("launch_kubernetes.py")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-44182: Jupyter Enterprise Gateway: Kubernetes Manifes // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("launch_kubernetes.py")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/home/jovyan") or FileName in~ ("launch_kubernetes.py")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-44182` ## Why this matters Severity classified as **CRIT** based on: CVE present, 4 use case(s) fired, 5 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.