RHSA-2026:11511

Vulnerability from csaf_redhat - Published: 2026-04-29 06:59 - Updated: 2026-04-30 21:35
Summary
Red Hat Security Advisory: Assisted Installer RHEL 8 components for Multicluster Engine for Kubernetes 2.7.10
Severity
Important
Notes
Topic: Assisted installer RHEL 8 components for the multicluster engine for Kubernetes 2.7.10 General Availability release, with updates to container images.
Details: Assisted Installer RHEL 8 integrates components for the general multicluster engine for Kubernetes 2.7.10 release that simplify the process of deploying OpenShift Container Platform clusters. The multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters, or to import existing Kubernetes-based clusters for management. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
CVE-2026-7163

A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. The credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace. The affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected. This issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode. Successful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters.

6.1 (Medium)
CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
CWE-312 - Cleartext Storage of Sensitive Information
Vendor Fix For more information about Assisted Installer, see the following documentation: https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/clusters/cluster_mce_overview#cim-intro For multicluster engine for Kubernetes, see the following documentation for details on how to install the images: https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/clusters/cluster_mce_overview#mce-install-intro This documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.12. https://access.redhat.com/errata/RHSA-2026:11511
References
Acknowledgments
Red Hat Omer Vishlitzky Nick Carboni Riccardo Piccoli
To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Assisted installer RHEL 8 components for the multicluster engine for Kubernetes 2.7.10 General Availability release, with updates to container images.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Assisted Installer RHEL 8 integrates components for the general multicluster engine\nfor Kubernetes 2.7.10 release that simplify the process of deploying OpenShift Container\nPlatform clusters.\n\nThe multicluster engine for Kubernetes provides the foundational components\nthat are necessary for the centralized management of multiple\nKubernetes-based clusters across data centers, public clouds, and private\nclouds.\n\nYou can use the engine to create new Red Hat OpenShift Container Platform\nclusters, or to import existing Kubernetes-based clusters for management.\n\nAfter the clusters are managed, you can use the APIs that\nare provided by the engine to distribute configuration based on placement\npolicy.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:11511",
        "url": "https://access.redhat.com/errata/RHSA-2026:11511"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-7163",
        "url": "https://access.redhat.com/security/cve/CVE-2026-7163"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_11511.json"
      }
    ],
    "title": "Red Hat Security Advisory: Assisted Installer RHEL 8 components for Multicluster Engine for Kubernetes 2.7.10",
    "tracking": {
      "current_release_date": "2026-04-30T21:35:15+00:00",
      "generator": {
        "date": "2026-04-30T21:35:15+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.7"
        }
      },
      "id": "RHSA-2026:11511",
      "initial_release_date": "2026-04-29T06:59:14+00:00",
      "revision_history": [
        {
          "date": "2026-04-29T06:59:14+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-04-30T14:47:48+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-04-30T21:35:15+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "multicluster engine for Kubernetes 2.7",
                "product": {
                  "name": "multicluster engine for Kubernetes 2.7",
                  "product_id": "multicluster engine for Kubernetes 2.7",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:multicluster_engine:2.7::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "multicluster engine for Kubernetes"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:211bed4541e76ea5b280dbe111b3ee0adc0ed74aca4c0a02de481b4212513b74_amd64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:211bed4541e76ea5b280dbe111b3ee0adc0ed74aca4c0a02de481b4212513b74_amd64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:211bed4541e76ea5b280dbe111b3ee0adc0ed74aca4c0a02de481b4212513b74_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-8-rhel8@sha256%3A211bed4541e76ea5b280dbe111b3ee0adc0ed74aca4c0a02de481b4212513b74?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777205801"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:8bcaaf6e4ce41945c3f448b5454441a24b89f85dbb0832a035d83f01642892ff_arm64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:8bcaaf6e4ce41945c3f448b5454441a24b89f85dbb0832a035d83f01642892ff_arm64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:8bcaaf6e4ce41945c3f448b5454441a24b89f85dbb0832a035d83f01642892ff_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-8-rhel8@sha256%3A8bcaaf6e4ce41945c3f448b5454441a24b89f85dbb0832a035d83f01642892ff?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777205801"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:968eee9473cdb66d70b08db22bbc887aa4a49658e29c6a73cfee6f30cda0d9e1_ppc64le",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:968eee9473cdb66d70b08db22bbc887aa4a49658e29c6a73cfee6f30cda0d9e1_ppc64le",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:968eee9473cdb66d70b08db22bbc887aa4a49658e29c6a73cfee6f30cda0d9e1_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-8-rhel8@sha256%3A968eee9473cdb66d70b08db22bbc887aa4a49658e29c6a73cfee6f30cda0d9e1?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777205801"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:e9a173fc2e1f497ff04828e4906aa81f3249c30e7804b6bc1fecb0f70daef1d3_s390x",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:e9a173fc2e1f497ff04828e4906aa81f3249c30e7804b6bc1fecb0f70daef1d3_s390x",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:e9a173fc2e1f497ff04828e4906aa81f3249c30e7804b6bc1fecb0f70daef1d3_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-8-rhel8@sha256%3Ae9a173fc2e1f497ff04828e4906aa81f3249c30e7804b6bc1fecb0f70daef1d3?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777205801"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:211bed4541e76ea5b280dbe111b3ee0adc0ed74aca4c0a02de481b4212513b74_amd64 as a component of multicluster engine for Kubernetes 2.7",
          "product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:211bed4541e76ea5b280dbe111b3ee0adc0ed74aca4c0a02de481b4212513b74_amd64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:211bed4541e76ea5b280dbe111b3ee0adc0ed74aca4c0a02de481b4212513b74_amd64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:8bcaaf6e4ce41945c3f448b5454441a24b89f85dbb0832a035d83f01642892ff_arm64 as a component of multicluster engine for Kubernetes 2.7",
          "product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:8bcaaf6e4ce41945c3f448b5454441a24b89f85dbb0832a035d83f01642892ff_arm64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:8bcaaf6e4ce41945c3f448b5454441a24b89f85dbb0832a035d83f01642892ff_arm64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:968eee9473cdb66d70b08db22bbc887aa4a49658e29c6a73cfee6f30cda0d9e1_ppc64le as a component of multicluster engine for Kubernetes 2.7",
          "product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:968eee9473cdb66d70b08db22bbc887aa4a49658e29c6a73cfee6f30cda0d9e1_ppc64le"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:968eee9473cdb66d70b08db22bbc887aa4a49658e29c6a73cfee6f30cda0d9e1_ppc64le",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:e9a173fc2e1f497ff04828e4906aa81f3249c30e7804b6bc1fecb0f70daef1d3_s390x as a component of multicluster engine for Kubernetes 2.7",
          "product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:e9a173fc2e1f497ff04828e4906aa81f3249c30e7804b6bc1fecb0f70daef1d3_s390x"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:e9a173fc2e1f497ff04828e4906aa81f3249c30e7804b6bc1fecb0f70daef1d3_s390x",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Omer Vishlitzky",
            "Nick Carboni",
            "Riccardo Piccoli"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2026-7163",
      "cwe": {
        "id": "CWE-312",
        "name": "Cleartext Storage of Sensitive Information"
      },
      "discovery_date": "2026-04-27T04:18:06.534000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2463152"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. \n\nThe credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace.\n\nThe affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected.\nThis issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode.\n\nSuccessful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "assisted-service: assisted-service: Authenticated users can gain administrative access to OpenShift clusters via credential disclosure",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:211bed4541e76ea5b280dbe111b3ee0adc0ed74aca4c0a02de481b4212513b74_amd64",
          "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:8bcaaf6e4ce41945c3f448b5454441a24b89f85dbb0832a035d83f01642892ff_arm64",
          "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:968eee9473cdb66d70b08db22bbc887aa4a49658e29c6a73cfee6f30cda0d9e1_ppc64le",
          "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:e9a173fc2e1f497ff04828e4906aa81f3249c30e7804b6bc1fecb0f70daef1d3_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-7163"
        },
        {
          "category": "external",
          "summary": "RHBZ#2463152",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463152"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-7163",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-7163"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7163",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7163"
        }
      ],
      "release_date": "2026-04-30T12:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-29T06:59:14+00:00",
          "details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.12.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:211bed4541e76ea5b280dbe111b3ee0adc0ed74aca4c0a02de481b4212513b74_amd64",
            "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:8bcaaf6e4ce41945c3f448b5454441a24b89f85dbb0832a035d83f01642892ff_arm64",
            "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:968eee9473cdb66d70b08db22bbc887aa4a49658e29c6a73cfee6f30cda0d9e1_ppc64le",
            "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:e9a173fc2e1f497ff04828e4906aa81f3249c30e7804b6bc1fecb0f70daef1d3_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:11511"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:211bed4541e76ea5b280dbe111b3ee0adc0ed74aca4c0a02de481b4212513b74_amd64",
            "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:8bcaaf6e4ce41945c3f448b5454441a24b89f85dbb0832a035d83f01642892ff_arm64",
            "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:968eee9473cdb66d70b08db22bbc887aa4a49658e29c6a73cfee6f30cda0d9e1_ppc64le",
            "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:e9a173fc2e1f497ff04828e4906aa81f3249c30e7804b6bc1fecb0f70daef1d3_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "assisted-service: assisted-service: Authenticated users can gain administrative access to OpenShift clusters via credential disclosure"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.