metrics-server v0.8.1 affected by CVE-2026-24051

[igordcard]

It looks like the latest version of metrics-server (v0.8.1) is currently affected by CVE-2026-24051. Snyk CLI report below:

> snyk container test registry.k8s.io/metrics-server/metrics-server:v0.8.1


Testing registry.k8s.io/metrics-server/metrics-server:v0.8.1...

Organization:      <redacted>
Package manager:   deb
Project name:      docker-image|registry.k8s.io/metrics-server/metrics-server
Docker image:      registry.k8s.io/metrics-server/metrics-server:v0.8.1
Platform:          linux/amd64
Target OS:         Distroless
Licenses:          enabled

✔ Tested 4 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing registry.k8s.io/metrics-server/metrics-server:v0.8.1...

✗ High severity vulnerability found in go.opentelemetry.io/otel/sdk/resource
  Description: Untrusted Search Path
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOPENTELEMETRYIOOTELSDKRESOURCE-15182758
  Introduced through: go.opentelemetry.io/otel/sdk/resource@v1.35.0
  From: go.opentelemetry.io/otel/sdk/resource@v1.35.0
  Fixed in: 1.40.0



Organization:      <redacted>
Package manager:   gomodules
Target file:       /metrics-server
Project name:      sigs.k8s.io/metrics-server
Docker image:      registry.k8s.io/metrics-server/metrics-server:v0.8.1
Licenses:          enabled

Tested 853 dependencies for known issues, found 1 issue.

[k8s-ci-robot]

This issue is currently awaiting triage.

If metrics-server contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.