Back to blog
GoKubernetesCVE

Go and Kubernetes: why CVE-2018-1002105 remains a reference point

Published on 2026-04-117 min readFlorian

A critical flaw in the control plane

The official Kubernetes security announcement from December 2018 described CVE-2018-1002105 as a critical issue in kube-apiserver. An attacker could establish a connection through the API server to backend services and then send arbitrary requests over that connection using the API server TLS credentials.

As a Go-linked ecosystem flaw, it is hard to find a better example of control-plane risk.

Why it remains so important

Kubernetes is not just another application. It is infrastructure control. When the central mediation and authorization layer is affected, the impact reaches far beyond a single product surface.

The official Kubernetes CVE feed still lists CVE-2018-1002105, which makes it a strong long-term reference even in 2026.

What this says about Go

Again, the problem is not the language itself. Go is heavily used in cloud-native infrastructure. That means a flaw in a major Go component often affects trust layers that are more sensitive than ordinary web pages.

With Kubernetes, the danger touches cluster control, backend access, credentials, and privilege boundaries.

The real lesson

Teams that say we are on Kubernetes, so we have a mature platform need one more sentence: platform maturity does not replace patching discipline, exposure review, or security architecture around the control plane.

A flaw in proxy handling or backend connection management can have outsized impact.

What to verify

  • cluster versions;
  • API server exposure;
  • proxy and aggregated API paths;
  • old or forgotten administrative clusters;
  • emergency rollout speed for critical patches.

    • Our view

    If you want a representative Go infrastructure vulnerability, CVE-2018-1002105 is an excellent choice. It shows that the highest risk is often not in the language but in the Go software holding the most sensitive trust positions in modern infrastructure.

    Related articles

    Three adjacent analyses to keep exploring the same attack surface.

    GoGrafana

    Go and Grafana: why CVE-2021-43798 is still a useful warning

    CVE-2021-43798 showed that a widely deployed Go product could expose local files through path traversal. Here is why this case is still useful in 2026.

    2026-04-11 · 6 min read
    JavaStruts

    Java and Apache Struts: why CVE-2017-5638 is still a textbook case

    CVE-2017-5638 remains one of the clearest textbook cases in the Java web ecosystem. Here is why the 2017 Struts flaw still matters in 2026.

    2026-04-11 · 6 min read
    PHPDrupal

    PHP and Drupalgeddon2: why CVE-2018-7600 still matters

    CVE-2018-7600 left a lasting mark on the PHP ecosystem through Drupal. Here is why Drupalgeddon2 still matters when discussing critical flaws in exposed CMS platforms.

    2026-04-11 · 6 min read

    Sources

    Written by Florian
    Reviewed on 2026-04-11

    Related services

    If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

    External Review

    Get a fast, clear read on your product’s real external exposure.

    Full Audit

    Document all priority flaws and get a real remediation plan.

    Ongoing Review

    Track new exposure as your stack changes over time.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit