{"vulnerability": "cve-2026-10840", "sightings": [{"uuid": "9b15f3d7-83b5-4e22-8f91-0500cd43e64a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-10840", "type": "seen", "source": "https://infosec.exchange/users/cR0w/statuses/116692281779225455", "content": "https://access.redhat.com/security/cve/cve-2026-10840\n\nA flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRole. When Kueue or cert-manager CRDs are present on the cluster, any authenticated user can disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or induce cert-manager to overwrite TLS Secrets including the default ingress controller certificate.", "creation_timestamp": "2026-06-04T14:21:53.814832Z"}]}