RHSA-2026:11512
Vulnerability from csaf_redhat - Published: 2026-04-29 07:00 - Updated: 2026-05-02 03:25Summary
Red Hat Security Advisory: Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.7.10
Severity
Important
Notes
Topic: Assisted installer RHEL 9 components for the multicluster engine for Kubernetes 2.7.10 General Availability release, with updates to container images.
Details: Assisted Installer RHEL 9 integrates components for the general multicluster engine
for Kubernetes 2.7.10 release that simplify the process of deploying OpenShift Container
Platform clusters.
The multicluster engine for Kubernetes provides the foundational components
that are necessary for the centralized management of multiple
Kubernetes-based clusters across data centers, public clouds, and private
clouds.
You can use the engine to create new Red Hat OpenShift Container Platform
clusters, or to import existing Kubernetes-based clusters for management.
After the clusters are managed, you can use the APIs that
are provided by the engine to distribute configuration based on placement
policy.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. The credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace. The affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected. This issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode. Successful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters.
6.1 (Medium)
Vendor Fix
For more information about Assisted Installer, see the following documentation:
https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/clusters/cluster_mce_overview#cim-intro
For multicluster engine for Kubernetes, see the following documentation for
details on how to install the images:
https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/clusters/cluster_mce_overview#mce-install-intro
This documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.12.
https://access.redhat.com/errata/RHSA-2026:11512
A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.
7.5 (High)
Vendor Fix
For more information about Assisted Installer, see the following documentation:
https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/clusters/cluster_mce_overview#cim-intro
For multicluster engine for Kubernetes, see the following documentation for
details on how to install the images:
https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/clusters/cluster_mce_overview#mce-install-intro
This documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.12.
https://access.redhat.com/errata/RHSA-2026:11512
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
References
Acknowledgments
Red Hat
Omer Vishlitzky
Nick Carboni
Riccardo Piccoli
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Assisted installer RHEL 9 components for the multicluster engine for Kubernetes 2.7.10 General Availability release, with updates to container images.",
"title": "Topic"
},
{
"category": "general",
"text": "Assisted Installer RHEL 9 integrates components for the general multicluster engine\nfor Kubernetes 2.7.10 release that simplify the process of deploying OpenShift Container\nPlatform clusters.\n\nThe multicluster engine for Kubernetes provides the foundational components\nthat are necessary for the centralized management of multiple\nKubernetes-based clusters across data centers, public clouds, and private\nclouds.\n\nYou can use the engine to create new Red Hat OpenShift Container Platform\nclusters, or to import existing Kubernetes-based clusters for management.\n\nAfter the clusters are managed, you can use the APIs that\nare provided by the engine to distribute configuration based on placement\npolicy.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:11512",
"url": "https://access.redhat.com/errata/RHSA-2026:11512"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-7163",
"url": "https://access.redhat.com/security/cve/CVE-2026-7163"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-34986",
"url": "https://access.redhat.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_11512.json"
}
],
"title": "Red Hat Security Advisory: Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.7.10",
"tracking": {
"current_release_date": "2026-05-02T03:25:53+00:00",
"generator": {
"date": "2026-05-02T03:25:53+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2026:11512",
"initial_release_date": "2026-04-29T07:00:38+00:00",
"revision_history": [
{
"date": "2026-04-29T07:00:38+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-30T14:47:48+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-02T03:25:53+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "multicluster engine for Kubernetes 2.7",
"product": {
"name": "multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:multicluster_engine:2.7::el9"
}
}
}
],
"category": "product_family",
"name": "multicluster engine for Kubernetes"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:4304b5faa3cecb148a078c5b508489d7e901c67c4d7e1309b09880e1893a801f_amd64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:4304b5faa3cecb148a078c5b508489d7e901c67c4d7e1309b09880e1893a801f_amd64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:4304b5faa3cecb148a078c5b508489d7e901c67c4d7e1309b09880e1893a801f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-image-service-rhel9@sha256%3A4304b5faa3cecb148a078c5b508489d7e901c67c4d7e1309b09880e1893a801f?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777360145"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:fca2e432bd533cdb9e296199cf397eca24b701efe2f56e1959801455c287ab51_amd64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:fca2e432bd533cdb9e296199cf397eca24b701efe2f56e1959801455c287ab51_amd64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:fca2e432bd533cdb9e296199cf397eca24b701efe2f56e1959801455c287ab51_amd64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-rhel9@sha256%3Afca2e432bd533cdb9e296199cf397eca24b701efe2f56e1959801455c287ab51?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777360557"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:10522a9c015a3851fb92dc3c11096cce8d425dbb9737559a2a2bdf96c0bc8c90_amd64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:10522a9c015a3851fb92dc3c11096cce8d425dbb9737559a2a2bdf96c0bc8c90_amd64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:10522a9c015a3851fb92dc3c11096cce8d425dbb9737559a2a2bdf96c0bc8c90_amd64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-agent-rhel9@sha256%3A10522a9c015a3851fb92dc3c11096cce8d425dbb9737559a2a2bdf96c0bc8c90?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777360597"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:241cd995577155ae308e7854c5f2a55aa106a359c812fb7d346aeb5c5daf6c33_amd64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:241cd995577155ae308e7854c5f2a55aa106a359c812fb7d346aeb5c5daf6c33_amd64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:241cd995577155ae308e7854c5f2a55aa106a359c812fb7d346aeb5c5daf6c33_amd64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-controller-rhel9@sha256%3A241cd995577155ae308e7854c5f2a55aa106a359c812fb7d346aeb5c5daf6c33?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777360530"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:afdc9e8438e456445cc5ebeeb889b5eba0944a6d7f2d822f7d7360b0476e1a51_amd64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:afdc9e8438e456445cc5ebeeb889b5eba0944a6d7f2d822f7d7360b0476e1a51_amd64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:afdc9e8438e456445cc5ebeeb889b5eba0944a6d7f2d822f7d7360b0476e1a51_amd64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-service-9-rhel9@sha256%3Aafdc9e8438e456445cc5ebeeb889b5eba0944a6d7f2d822f7d7360b0476e1a51?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777205772"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e689f98a4488dca31ed5152cab535528975a91daadf901f5d960e51d60d15213_arm64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e689f98a4488dca31ed5152cab535528975a91daadf901f5d960e51d60d15213_arm64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e689f98a4488dca31ed5152cab535528975a91daadf901f5d960e51d60d15213_arm64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-image-service-rhel9@sha256%3Ae689f98a4488dca31ed5152cab535528975a91daadf901f5d960e51d60d15213?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777360145"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:58096085243c570e45bebc86abffff5f406ed2d8fb5ec1cad8171b4a1a2d21d2_arm64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:58096085243c570e45bebc86abffff5f406ed2d8fb5ec1cad8171b4a1a2d21d2_arm64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:58096085243c570e45bebc86abffff5f406ed2d8fb5ec1cad8171b4a1a2d21d2_arm64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-rhel9@sha256%3A58096085243c570e45bebc86abffff5f406ed2d8fb5ec1cad8171b4a1a2d21d2?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777360557"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b1afae748ebd50608980fe07600ee777ac794fa8f896fb14b5b23bbee07c7cb2_arm64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b1afae748ebd50608980fe07600ee777ac794fa8f896fb14b5b23bbee07c7cb2_arm64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b1afae748ebd50608980fe07600ee777ac794fa8f896fb14b5b23bbee07c7cb2_arm64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-agent-rhel9@sha256%3Ab1afae748ebd50608980fe07600ee777ac794fa8f896fb14b5b23bbee07c7cb2?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777360597"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:ab6d71605f3af774dca68c16cb34be8336d42974aa58e273ee54a233c407ade4_arm64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:ab6d71605f3af774dca68c16cb34be8336d42974aa58e273ee54a233c407ade4_arm64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:ab6d71605f3af774dca68c16cb34be8336d42974aa58e273ee54a233c407ade4_arm64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-controller-rhel9@sha256%3Aab6d71605f3af774dca68c16cb34be8336d42974aa58e273ee54a233c407ade4?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777360530"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:b53af57794980ee5e2ff7ebc1de3f06b61fd9da93174516ce0a4b39b47bb1335_arm64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:b53af57794980ee5e2ff7ebc1de3f06b61fd9da93174516ce0a4b39b47bb1335_arm64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:b53af57794980ee5e2ff7ebc1de3f06b61fd9da93174516ce0a4b39b47bb1335_arm64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-service-9-rhel9@sha256%3Ab53af57794980ee5e2ff7ebc1de3f06b61fd9da93174516ce0a4b39b47bb1335?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777205772"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:c9e70bb2b1563c884d170139be052cc6d9f4dba9a6f7391d7cbdb91470117dec_ppc64le",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:c9e70bb2b1563c884d170139be052cc6d9f4dba9a6f7391d7cbdb91470117dec_ppc64le",
"product_id": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:c9e70bb2b1563c884d170139be052cc6d9f4dba9a6f7391d7cbdb91470117dec_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/assisted-image-service-rhel9@sha256%3Ac9e70bb2b1563c884d170139be052cc6d9f4dba9a6f7391d7cbdb91470117dec?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777360145"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d73847b79d7ab5835630fcef3afd42f7939195b46a8d046c7a6719c44d1d6cb3_ppc64le",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d73847b79d7ab5835630fcef3afd42f7939195b46a8d046c7a6719c44d1d6cb3_ppc64le",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d73847b79d7ab5835630fcef3afd42f7939195b46a8d046c7a6719c44d1d6cb3_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-rhel9@sha256%3Ad73847b79d7ab5835630fcef3afd42f7939195b46a8d046c7a6719c44d1d6cb3?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777360557"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:516da59066a260be9c0b4c0f88138aa6b4838f1cd0c2ae5707c69dbbf2094014_ppc64le",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:516da59066a260be9c0b4c0f88138aa6b4838f1cd0c2ae5707c69dbbf2094014_ppc64le",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:516da59066a260be9c0b4c0f88138aa6b4838f1cd0c2ae5707c69dbbf2094014_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-agent-rhel9@sha256%3A516da59066a260be9c0b4c0f88138aa6b4838f1cd0c2ae5707c69dbbf2094014?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777360597"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e92e8ec2f138a30ee2876de9eab449d3a94f5fbeaed645e8b0eb6f6ade63e4f8_ppc64le",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e92e8ec2f138a30ee2876de9eab449d3a94f5fbeaed645e8b0eb6f6ade63e4f8_ppc64le",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e92e8ec2f138a30ee2876de9eab449d3a94f5fbeaed645e8b0eb6f6ade63e4f8_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-controller-rhel9@sha256%3Ae92e8ec2f138a30ee2876de9eab449d3a94f5fbeaed645e8b0eb6f6ade63e4f8?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777360530"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:c58e21effc6a0617bb6b2077c4751eab19af05bb3aed49dbefaf13cc07508841_ppc64le",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:c58e21effc6a0617bb6b2077c4751eab19af05bb3aed49dbefaf13cc07508841_ppc64le",
"product_id": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:c58e21effc6a0617bb6b2077c4751eab19af05bb3aed49dbefaf13cc07508841_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/assisted-service-9-rhel9@sha256%3Ac58e21effc6a0617bb6b2077c4751eab19af05bb3aed49dbefaf13cc07508841?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777205772"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e77bc616611c024f7d59edc9962fe9011bd8252f0379075979e00bffc098bac7_s390x",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e77bc616611c024f7d59edc9962fe9011bd8252f0379075979e00bffc098bac7_s390x",
"product_id": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e77bc616611c024f7d59edc9962fe9011bd8252f0379075979e00bffc098bac7_s390x",
"product_identification_helper": {
"purl": "pkg:oci/assisted-image-service-rhel9@sha256%3Ae77bc616611c024f7d59edc9962fe9011bd8252f0379075979e00bffc098bac7?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777360145"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:f62914040f263a6262eb474f0287f3a2fae152d2e0d9d0d46c1303847157082f_s390x",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:f62914040f263a6262eb474f0287f3a2fae152d2e0d9d0d46c1303847157082f_s390x",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:f62914040f263a6262eb474f0287f3a2fae152d2e0d9d0d46c1303847157082f_s390x",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-rhel9@sha256%3Af62914040f263a6262eb474f0287f3a2fae152d2e0d9d0d46c1303847157082f?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777360557"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:492f890a7c362aef38bc37026e7e876347dec0bbb539c3500e86c251fd8a6542_s390x",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:492f890a7c362aef38bc37026e7e876347dec0bbb539c3500e86c251fd8a6542_s390x",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:492f890a7c362aef38bc37026e7e876347dec0bbb539c3500e86c251fd8a6542_s390x",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-agent-rhel9@sha256%3A492f890a7c362aef38bc37026e7e876347dec0bbb539c3500e86c251fd8a6542?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777360597"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:aebee16917807234bd1a55d11636a477da2e2889e7258590e114a1160ffcb115_s390x",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:aebee16917807234bd1a55d11636a477da2e2889e7258590e114a1160ffcb115_s390x",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:aebee16917807234bd1a55d11636a477da2e2889e7258590e114a1160ffcb115_s390x",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-controller-rhel9@sha256%3Aaebee16917807234bd1a55d11636a477da2e2889e7258590e114a1160ffcb115?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777360530"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:09d51fc2ad83b60575616be21d8c728856689d718f1faddf2377e6127adb7de6_s390x",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:09d51fc2ad83b60575616be21d8c728856689d718f1faddf2377e6127adb7de6_s390x",
"product_id": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:09d51fc2ad83b60575616be21d8c728856689d718f1faddf2377e6127adb7de6_s390x",
"product_identification_helper": {
"purl": "pkg:oci/assisted-service-9-rhel9@sha256%3A09d51fc2ad83b60575616be21d8c728856689d718f1faddf2377e6127adb7de6?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1777205772"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:4304b5faa3cecb148a078c5b508489d7e901c67c4d7e1309b09880e1893a801f_amd64 as a component of multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:4304b5faa3cecb148a078c5b508489d7e901c67c4d7e1309b09880e1893a801f_amd64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:4304b5faa3cecb148a078c5b508489d7e901c67c4d7e1309b09880e1893a801f_amd64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:c9e70bb2b1563c884d170139be052cc6d9f4dba9a6f7391d7cbdb91470117dec_ppc64le as a component of multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:c9e70bb2b1563c884d170139be052cc6d9f4dba9a6f7391d7cbdb91470117dec_ppc64le"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:c9e70bb2b1563c884d170139be052cc6d9f4dba9a6f7391d7cbdb91470117dec_ppc64le",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e689f98a4488dca31ed5152cab535528975a91daadf901f5d960e51d60d15213_arm64 as a component of multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e689f98a4488dca31ed5152cab535528975a91daadf901f5d960e51d60d15213_arm64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e689f98a4488dca31ed5152cab535528975a91daadf901f5d960e51d60d15213_arm64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e77bc616611c024f7d59edc9962fe9011bd8252f0379075979e00bffc098bac7_s390x as a component of multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e77bc616611c024f7d59edc9962fe9011bd8252f0379075979e00bffc098bac7_s390x"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e77bc616611c024f7d59edc9962fe9011bd8252f0379075979e00bffc098bac7_s390x",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:10522a9c015a3851fb92dc3c11096cce8d425dbb9737559a2a2bdf96c0bc8c90_amd64 as a component of multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:10522a9c015a3851fb92dc3c11096cce8d425dbb9737559a2a2bdf96c0bc8c90_amd64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:10522a9c015a3851fb92dc3c11096cce8d425dbb9737559a2a2bdf96c0bc8c90_amd64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:492f890a7c362aef38bc37026e7e876347dec0bbb539c3500e86c251fd8a6542_s390x as a component of multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:492f890a7c362aef38bc37026e7e876347dec0bbb539c3500e86c251fd8a6542_s390x"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:492f890a7c362aef38bc37026e7e876347dec0bbb539c3500e86c251fd8a6542_s390x",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:516da59066a260be9c0b4c0f88138aa6b4838f1cd0c2ae5707c69dbbf2094014_ppc64le as a component of multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:516da59066a260be9c0b4c0f88138aa6b4838f1cd0c2ae5707c69dbbf2094014_ppc64le"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:516da59066a260be9c0b4c0f88138aa6b4838f1cd0c2ae5707c69dbbf2094014_ppc64le",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b1afae748ebd50608980fe07600ee777ac794fa8f896fb14b5b23bbee07c7cb2_arm64 as a component of multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b1afae748ebd50608980fe07600ee777ac794fa8f896fb14b5b23bbee07c7cb2_arm64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b1afae748ebd50608980fe07600ee777ac794fa8f896fb14b5b23bbee07c7cb2_arm64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:241cd995577155ae308e7854c5f2a55aa106a359c812fb7d346aeb5c5daf6c33_amd64 as a component of multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:241cd995577155ae308e7854c5f2a55aa106a359c812fb7d346aeb5c5daf6c33_amd64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:241cd995577155ae308e7854c5f2a55aa106a359c812fb7d346aeb5c5daf6c33_amd64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:ab6d71605f3af774dca68c16cb34be8336d42974aa58e273ee54a233c407ade4_arm64 as a component of multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:ab6d71605f3af774dca68c16cb34be8336d42974aa58e273ee54a233c407ade4_arm64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:ab6d71605f3af774dca68c16cb34be8336d42974aa58e273ee54a233c407ade4_arm64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:aebee16917807234bd1a55d11636a477da2e2889e7258590e114a1160ffcb115_s390x as a component of multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:aebee16917807234bd1a55d11636a477da2e2889e7258590e114a1160ffcb115_s390x"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:aebee16917807234bd1a55d11636a477da2e2889e7258590e114a1160ffcb115_s390x",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e92e8ec2f138a30ee2876de9eab449d3a94f5fbeaed645e8b0eb6f6ade63e4f8_ppc64le as a component of multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e92e8ec2f138a30ee2876de9eab449d3a94f5fbeaed645e8b0eb6f6ade63e4f8_ppc64le"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e92e8ec2f138a30ee2876de9eab449d3a94f5fbeaed645e8b0eb6f6ade63e4f8_ppc64le",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:58096085243c570e45bebc86abffff5f406ed2d8fb5ec1cad8171b4a1a2d21d2_arm64 as a component of multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:58096085243c570e45bebc86abffff5f406ed2d8fb5ec1cad8171b4a1a2d21d2_arm64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:58096085243c570e45bebc86abffff5f406ed2d8fb5ec1cad8171b4a1a2d21d2_arm64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d73847b79d7ab5835630fcef3afd42f7939195b46a8d046c7a6719c44d1d6cb3_ppc64le as a component of multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d73847b79d7ab5835630fcef3afd42f7939195b46a8d046c7a6719c44d1d6cb3_ppc64le"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d73847b79d7ab5835630fcef3afd42f7939195b46a8d046c7a6719c44d1d6cb3_ppc64le",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:f62914040f263a6262eb474f0287f3a2fae152d2e0d9d0d46c1303847157082f_s390x as a component of multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:f62914040f263a6262eb474f0287f3a2fae152d2e0d9d0d46c1303847157082f_s390x"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:f62914040f263a6262eb474f0287f3a2fae152d2e0d9d0d46c1303847157082f_s390x",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:fca2e432bd533cdb9e296199cf397eca24b701efe2f56e1959801455c287ab51_amd64 as a component of multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:fca2e432bd533cdb9e296199cf397eca24b701efe2f56e1959801455c287ab51_amd64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:fca2e432bd533cdb9e296199cf397eca24b701efe2f56e1959801455c287ab51_amd64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:09d51fc2ad83b60575616be21d8c728856689d718f1faddf2377e6127adb7de6_s390x as a component of multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:09d51fc2ad83b60575616be21d8c728856689d718f1faddf2377e6127adb7de6_s390x"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:09d51fc2ad83b60575616be21d8c728856689d718f1faddf2377e6127adb7de6_s390x",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:afdc9e8438e456445cc5ebeeb889b5eba0944a6d7f2d822f7d7360b0476e1a51_amd64 as a component of multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:afdc9e8438e456445cc5ebeeb889b5eba0944a6d7f2d822f7d7360b0476e1a51_amd64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:afdc9e8438e456445cc5ebeeb889b5eba0944a6d7f2d822f7d7360b0476e1a51_amd64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:b53af57794980ee5e2ff7ebc1de3f06b61fd9da93174516ce0a4b39b47bb1335_arm64 as a component of multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:b53af57794980ee5e2ff7ebc1de3f06b61fd9da93174516ce0a4b39b47bb1335_arm64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:b53af57794980ee5e2ff7ebc1de3f06b61fd9da93174516ce0a4b39b47bb1335_arm64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:c58e21effc6a0617bb6b2077c4751eab19af05bb3aed49dbefaf13cc07508841_ppc64le as a component of multicluster engine for Kubernetes 2.7",
"product_id": "multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:c58e21effc6a0617bb6b2077c4751eab19af05bb3aed49dbefaf13cc07508841_ppc64le"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:c58e21effc6a0617bb6b2077c4751eab19af05bb3aed49dbefaf13cc07508841_ppc64le",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.7"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Omer Vishlitzky",
"Nick Carboni",
"Riccardo Piccoli"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2026-7163",
"cwe": {
"id": "CWE-312",
"name": "Cleartext Storage of Sensitive Information"
},
"discovery_date": "2026-04-27T04:18:06.534000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:4304b5faa3cecb148a078c5b508489d7e901c67c4d7e1309b09880e1893a801f_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:c9e70bb2b1563c884d170139be052cc6d9f4dba9a6f7391d7cbdb91470117dec_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e689f98a4488dca31ed5152cab535528975a91daadf901f5d960e51d60d15213_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e77bc616611c024f7d59edc9962fe9011bd8252f0379075979e00bffc098bac7_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:10522a9c015a3851fb92dc3c11096cce8d425dbb9737559a2a2bdf96c0bc8c90_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:492f890a7c362aef38bc37026e7e876347dec0bbb539c3500e86c251fd8a6542_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:516da59066a260be9c0b4c0f88138aa6b4838f1cd0c2ae5707c69dbbf2094014_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b1afae748ebd50608980fe07600ee777ac794fa8f896fb14b5b23bbee07c7cb2_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:241cd995577155ae308e7854c5f2a55aa106a359c812fb7d346aeb5c5daf6c33_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:ab6d71605f3af774dca68c16cb34be8336d42974aa58e273ee54a233c407ade4_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:aebee16917807234bd1a55d11636a477da2e2889e7258590e114a1160ffcb115_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e92e8ec2f138a30ee2876de9eab449d3a94f5fbeaed645e8b0eb6f6ade63e4f8_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:58096085243c570e45bebc86abffff5f406ed2d8fb5ec1cad8171b4a1a2d21d2_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d73847b79d7ab5835630fcef3afd42f7939195b46a8d046c7a6719c44d1d6cb3_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:f62914040f263a6262eb474f0287f3a2fae152d2e0d9d0d46c1303847157082f_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:fca2e432bd533cdb9e296199cf397eca24b701efe2f56e1959801455c287ab51_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2463152"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. \n\nThe credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace.\n\nThe affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected.\nThis issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode.\n\nSuccessful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "assisted-service: assisted-service: Authenticated users can gain administrative access to OpenShift clusters via credential disclosure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:09d51fc2ad83b60575616be21d8c728856689d718f1faddf2377e6127adb7de6_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:afdc9e8438e456445cc5ebeeb889b5eba0944a6d7f2d822f7d7360b0476e1a51_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:b53af57794980ee5e2ff7ebc1de3f06b61fd9da93174516ce0a4b39b47bb1335_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:c58e21effc6a0617bb6b2077c4751eab19af05bb3aed49dbefaf13cc07508841_ppc64le"
],
"known_not_affected": [
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:4304b5faa3cecb148a078c5b508489d7e901c67c4d7e1309b09880e1893a801f_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:c9e70bb2b1563c884d170139be052cc6d9f4dba9a6f7391d7cbdb91470117dec_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e689f98a4488dca31ed5152cab535528975a91daadf901f5d960e51d60d15213_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e77bc616611c024f7d59edc9962fe9011bd8252f0379075979e00bffc098bac7_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:10522a9c015a3851fb92dc3c11096cce8d425dbb9737559a2a2bdf96c0bc8c90_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:492f890a7c362aef38bc37026e7e876347dec0bbb539c3500e86c251fd8a6542_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:516da59066a260be9c0b4c0f88138aa6b4838f1cd0c2ae5707c69dbbf2094014_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b1afae748ebd50608980fe07600ee777ac794fa8f896fb14b5b23bbee07c7cb2_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:241cd995577155ae308e7854c5f2a55aa106a359c812fb7d346aeb5c5daf6c33_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:ab6d71605f3af774dca68c16cb34be8336d42974aa58e273ee54a233c407ade4_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:aebee16917807234bd1a55d11636a477da2e2889e7258590e114a1160ffcb115_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e92e8ec2f138a30ee2876de9eab449d3a94f5fbeaed645e8b0eb6f6ade63e4f8_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:58096085243c570e45bebc86abffff5f406ed2d8fb5ec1cad8171b4a1a2d21d2_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d73847b79d7ab5835630fcef3afd42f7939195b46a8d046c7a6719c44d1d6cb3_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:f62914040f263a6262eb474f0287f3a2fae152d2e0d9d0d46c1303847157082f_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:fca2e432bd533cdb9e296199cf397eca24b701efe2f56e1959801455c287ab51_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-7163"
},
{
"category": "external",
"summary": "RHBZ#2463152",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463152"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-7163",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7163"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7163",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7163"
}
],
"release_date": "2026-04-30T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-29T07:00:38+00:00",
"details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.12.",
"product_ids": [
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:09d51fc2ad83b60575616be21d8c728856689d718f1faddf2377e6127adb7de6_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:afdc9e8438e456445cc5ebeeb889b5eba0944a6d7f2d822f7d7360b0476e1a51_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:b53af57794980ee5e2ff7ebc1de3f06b61fd9da93174516ce0a4b39b47bb1335_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:c58e21effc6a0617bb6b2077c4751eab19af05bb3aed49dbefaf13cc07508841_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:11512"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:4304b5faa3cecb148a078c5b508489d7e901c67c4d7e1309b09880e1893a801f_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:c9e70bb2b1563c884d170139be052cc6d9f4dba9a6f7391d7cbdb91470117dec_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e689f98a4488dca31ed5152cab535528975a91daadf901f5d960e51d60d15213_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e77bc616611c024f7d59edc9962fe9011bd8252f0379075979e00bffc098bac7_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:10522a9c015a3851fb92dc3c11096cce8d425dbb9737559a2a2bdf96c0bc8c90_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:492f890a7c362aef38bc37026e7e876347dec0bbb539c3500e86c251fd8a6542_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:516da59066a260be9c0b4c0f88138aa6b4838f1cd0c2ae5707c69dbbf2094014_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b1afae748ebd50608980fe07600ee777ac794fa8f896fb14b5b23bbee07c7cb2_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:241cd995577155ae308e7854c5f2a55aa106a359c812fb7d346aeb5c5daf6c33_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:ab6d71605f3af774dca68c16cb34be8336d42974aa58e273ee54a233c407ade4_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:aebee16917807234bd1a55d11636a477da2e2889e7258590e114a1160ffcb115_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e92e8ec2f138a30ee2876de9eab449d3a94f5fbeaed645e8b0eb6f6ade63e4f8_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:58096085243c570e45bebc86abffff5f406ed2d8fb5ec1cad8171b4a1a2d21d2_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d73847b79d7ab5835630fcef3afd42f7939195b46a8d046c7a6719c44d1d6cb3_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:f62914040f263a6262eb474f0287f3a2fae152d2e0d9d0d46c1303847157082f_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:fca2e432bd533cdb9e296199cf397eca24b701efe2f56e1959801455c287ab51_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:09d51fc2ad83b60575616be21d8c728856689d718f1faddf2377e6127adb7de6_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:afdc9e8438e456445cc5ebeeb889b5eba0944a6d7f2d822f7d7360b0476e1a51_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:b53af57794980ee5e2ff7ebc1de3f06b61fd9da93174516ce0a4b39b47bb1335_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:c58e21effc6a0617bb6b2077c4751eab19af05bb3aed49dbefaf13cc07508841_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "assisted-service: assisted-service: Authenticated users can gain administrative access to OpenShift clusters via credential disclosure"
},
{
"cve": "CVE-2026-34986",
"cwe": {
"id": "CWE-131",
"name": "Incorrect Calculation of Buffer Size"
},
"discovery_date": "2026-04-06T17:01:34.639203+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:4304b5faa3cecb148a078c5b508489d7e901c67c4d7e1309b09880e1893a801f_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:c9e70bb2b1563c884d170139be052cc6d9f4dba9a6f7391d7cbdb91470117dec_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e689f98a4488dca31ed5152cab535528975a91daadf901f5d960e51d60d15213_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e77bc616611c024f7d59edc9962fe9011bd8252f0379075979e00bffc098bac7_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:241cd995577155ae308e7854c5f2a55aa106a359c812fb7d346aeb5c5daf6c33_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:ab6d71605f3af774dca68c16cb34be8336d42974aa58e273ee54a233c407ade4_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:aebee16917807234bd1a55d11636a477da2e2889e7258590e114a1160ffcb115_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e92e8ec2f138a30ee2876de9eab449d3a94f5fbeaed645e8b0eb6f6ade63e4f8_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:58096085243c570e45bebc86abffff5f406ed2d8fb5ec1cad8171b4a1a2d21d2_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d73847b79d7ab5835630fcef3afd42f7939195b46a8d046c7a6719c44d1d6cb3_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:f62914040f263a6262eb474f0287f3a2fae152d2e0d9d0d46c1303847157082f_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:fca2e432bd533cdb9e296199cf397eca24b701efe2f56e1959801455c287ab51_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:09d51fc2ad83b60575616be21d8c728856689d718f1faddf2377e6127adb7de6_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:afdc9e8438e456445cc5ebeeb889b5eba0944a6d7f2d822f7d7360b0476e1a51_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:b53af57794980ee5e2ff7ebc1de3f06b61fd9da93174516ce0a4b39b47bb1335_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:c58e21effc6a0617bb6b2077c4751eab19af05bb3aed49dbefaf13cc07508841_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455470"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:10522a9c015a3851fb92dc3c11096cce8d425dbb9737559a2a2bdf96c0bc8c90_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:492f890a7c362aef38bc37026e7e876347dec0bbb539c3500e86c251fd8a6542_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:516da59066a260be9c0b4c0f88138aa6b4838f1cd0c2ae5707c69dbbf2094014_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b1afae748ebd50608980fe07600ee777ac794fa8f896fb14b5b23bbee07c7cb2_arm64"
],
"known_not_affected": [
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:4304b5faa3cecb148a078c5b508489d7e901c67c4d7e1309b09880e1893a801f_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:c9e70bb2b1563c884d170139be052cc6d9f4dba9a6f7391d7cbdb91470117dec_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e689f98a4488dca31ed5152cab535528975a91daadf901f5d960e51d60d15213_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e77bc616611c024f7d59edc9962fe9011bd8252f0379075979e00bffc098bac7_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:241cd995577155ae308e7854c5f2a55aa106a359c812fb7d346aeb5c5daf6c33_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:ab6d71605f3af774dca68c16cb34be8336d42974aa58e273ee54a233c407ade4_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:aebee16917807234bd1a55d11636a477da2e2889e7258590e114a1160ffcb115_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e92e8ec2f138a30ee2876de9eab449d3a94f5fbeaed645e8b0eb6f6ade63e4f8_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:58096085243c570e45bebc86abffff5f406ed2d8fb5ec1cad8171b4a1a2d21d2_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d73847b79d7ab5835630fcef3afd42f7939195b46a8d046c7a6719c44d1d6cb3_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:f62914040f263a6262eb474f0287f3a2fae152d2e0d9d0d46c1303847157082f_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:fca2e432bd533cdb9e296199cf397eca24b701efe2f56e1959801455c287ab51_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:09d51fc2ad83b60575616be21d8c728856689d718f1faddf2377e6127adb7de6_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:afdc9e8438e456445cc5ebeeb889b5eba0944a6d7f2d822f7d7360b0476e1a51_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:b53af57794980ee5e2ff7ebc1de3f06b61fd9da93174516ce0a4b39b47bb1335_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:c58e21effc6a0617bb6b2077c4751eab19af05bb3aed49dbefaf13cc07508841_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "RHBZ#2455470",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-34986",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34986"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
},
{
"category": "external",
"summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
"url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
},
{
"category": "external",
"summary": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
"url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
}
],
"release_date": "2026-04-06T16:22:45.353000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-29T07:00:38+00:00",
"details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.12.",
"product_ids": [
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:10522a9c015a3851fb92dc3c11096cce8d425dbb9737559a2a2bdf96c0bc8c90_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:492f890a7c362aef38bc37026e7e876347dec0bbb539c3500e86c251fd8a6542_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:516da59066a260be9c0b4c0f88138aa6b4838f1cd0c2ae5707c69dbbf2094014_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b1afae748ebd50608980fe07600ee777ac794fa8f896fb14b5b23bbee07c7cb2_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:11512"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:4304b5faa3cecb148a078c5b508489d7e901c67c4d7e1309b09880e1893a801f_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:c9e70bb2b1563c884d170139be052cc6d9f4dba9a6f7391d7cbdb91470117dec_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e689f98a4488dca31ed5152cab535528975a91daadf901f5d960e51d60d15213_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e77bc616611c024f7d59edc9962fe9011bd8252f0379075979e00bffc098bac7_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:10522a9c015a3851fb92dc3c11096cce8d425dbb9737559a2a2bdf96c0bc8c90_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:492f890a7c362aef38bc37026e7e876347dec0bbb539c3500e86c251fd8a6542_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:516da59066a260be9c0b4c0f88138aa6b4838f1cd0c2ae5707c69dbbf2094014_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b1afae748ebd50608980fe07600ee777ac794fa8f896fb14b5b23bbee07c7cb2_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:241cd995577155ae308e7854c5f2a55aa106a359c812fb7d346aeb5c5daf6c33_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:ab6d71605f3af774dca68c16cb34be8336d42974aa58e273ee54a233c407ade4_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:aebee16917807234bd1a55d11636a477da2e2889e7258590e114a1160ffcb115_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e92e8ec2f138a30ee2876de9eab449d3a94f5fbeaed645e8b0eb6f6ade63e4f8_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:58096085243c570e45bebc86abffff5f406ed2d8fb5ec1cad8171b4a1a2d21d2_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d73847b79d7ab5835630fcef3afd42f7939195b46a8d046c7a6719c44d1d6cb3_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:f62914040f263a6262eb474f0287f3a2fae152d2e0d9d0d46c1303847157082f_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:fca2e432bd533cdb9e296199cf397eca24b701efe2f56e1959801455c287ab51_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:09d51fc2ad83b60575616be21d8c728856689d718f1faddf2377e6127adb7de6_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:afdc9e8438e456445cc5ebeeb889b5eba0944a6d7f2d822f7d7360b0476e1a51_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:b53af57794980ee5e2ff7ebc1de3f06b61fd9da93174516ce0a4b39b47bb1335_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:c58e21effc6a0617bb6b2077c4751eab19af05bb3aed49dbefaf13cc07508841_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:4304b5faa3cecb148a078c5b508489d7e901c67c4d7e1309b09880e1893a801f_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:c9e70bb2b1563c884d170139be052cc6d9f4dba9a6f7391d7cbdb91470117dec_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e689f98a4488dca31ed5152cab535528975a91daadf901f5d960e51d60d15213_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e77bc616611c024f7d59edc9962fe9011bd8252f0379075979e00bffc098bac7_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:10522a9c015a3851fb92dc3c11096cce8d425dbb9737559a2a2bdf96c0bc8c90_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:492f890a7c362aef38bc37026e7e876347dec0bbb539c3500e86c251fd8a6542_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:516da59066a260be9c0b4c0f88138aa6b4838f1cd0c2ae5707c69dbbf2094014_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b1afae748ebd50608980fe07600ee777ac794fa8f896fb14b5b23bbee07c7cb2_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:241cd995577155ae308e7854c5f2a55aa106a359c812fb7d346aeb5c5daf6c33_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:ab6d71605f3af774dca68c16cb34be8336d42974aa58e273ee54a233c407ade4_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:aebee16917807234bd1a55d11636a477da2e2889e7258590e114a1160ffcb115_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e92e8ec2f138a30ee2876de9eab449d3a94f5fbeaed645e8b0eb6f6ade63e4f8_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:58096085243c570e45bebc86abffff5f406ed2d8fb5ec1cad8171b4a1a2d21d2_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d73847b79d7ab5835630fcef3afd42f7939195b46a8d046c7a6719c44d1d6cb3_ppc64le",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:f62914040f263a6262eb474f0287f3a2fae152d2e0d9d0d46c1303847157082f_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:fca2e432bd533cdb9e296199cf397eca24b701efe2f56e1959801455c287ab51_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:09d51fc2ad83b60575616be21d8c728856689d718f1faddf2377e6127adb7de6_s390x",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:afdc9e8438e456445cc5ebeeb889b5eba0944a6d7f2d822f7d7360b0476e1a51_amd64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:b53af57794980ee5e2ff7ebc1de3f06b61fd9da93174516ce0a4b39b47bb1335_arm64",
"multicluster engine for Kubernetes 2.7:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:c58e21effc6a0617bb6b2077c4751eab19af05bb3aed49dbefaf13cc07508841_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…