missionEnforcement admission controller, which will prevent any user without delete permissions on an object from modifying the OwnerReferences on that object. Note that this admission controller will apply to all users and object types. Fixed Versions - kube-apiserver: >= v1.31.12 - kube-apiserver: >= v1.32.8 - kube-apiserver: >= v1.33.4 Detection This issue can be detected on clusters which have NodeRestriction but not OwnerReferencesPermissionEnforcement enabled by analyzing API audit logs for node patch requests issued by node users which modify OwnerReferences. In normal operation, a Kubelet will never issue a patch request which modifies its own OwnerReferences. If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io Additional Details See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/133471 Acknowledgements This vulnerability was reported by Paul Viossat. The issue was fixed and coordinated by: - Sergey Kanzhelev @SergeyKanzhelev - Jordan Liggitt @liggitt - Marko Mudrinić @xmudrii Thank You, Nathan Herz on behalf of the Kubernetes Security Response Committee -- You received this message because you are subscribed to the Google Groups "kubernetes-announce" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-announce+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/kubernetes-announce/CABrZYSBZQYL56%3D4d1dZK8n8S7ffMYaEGdA%2BjPe0E0Fg1ZNRtdw%40mail.gmail.com.[kubernetes-announce] [Security Advisory] CVE-2025-5187: Nodes can delete themselves by adding an OwnerReferenceNathan Herz undefinedkubernetes-announce@googlegroups.com, dev@kubernetes.io, kubernetes-security-announce@googlegroups.com, kubernetes-security-discuss@googlegroups.com, distributors-announce@kubernetes.io undefined undefined undefined undefined undefined¶