GHSA-rp7v-4384-hfrp: k8sGPT has Prompt Injection through its k8sGPT-Operator

April 24, 2026

In the auto-remediation pipeline, object_to_execution.go was deserializing the AI-generated YAML directly into a Deployment object, but there was lack of validation from the original Deployment object.

References

github.com/advisories/GHSA-rp7v-4384-hfrp
github.com/k8sgpt-ai/k8sgpt
github.com/k8sgpt-ai/k8sgpt/security/advisories/GHSA-rp7v-4384-hfrp

Code Behaviors & Features

Detect and mitigate GHSA-rp7v-4384-hfrp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →