GHSA-hfc8-w5f4-3x6m: Ironic Standalone Operator's controller modifies user-owned resources without consent

May 29, 2026

The Ironic Standalone Operator (IRSO) is the operator to maintain an Ironic deployment for Metal3. IRSO controller automatically adds its environment label to user-provided Secrets and ConfigMaps without the resource owner’s consent. A high-privilege controller modifying user-owned resources constitutes an unauthorized integrity violation. Deployments running IrSO v0.7.0 through v0.8.1 that reference user-provided Secrets or ConfigMaps (TLS certificates, BMC CA, trusted CA) are affected.

References

github.com/advisories/GHSA-hfc8-w5f4-3x6m
github.com/metal3-io/ironic-standalone-operator/pull/619
github.com/metal3-io/ironic-standalone-operator/pull/664
github.com/metal3-io/ironic-standalone-operator/pull/665
github.com/metal3-io/ironic-standalone-operator/security/advisories/GHSA-hfc8-w5f4-3x6m

Code Behaviors & Features

Detect and mitigate GHSA-hfc8-w5f4-3x6m with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →