RHSA-2026:12116
Vulnerability from csaf_redhat - Published: 2026-04-30 06:52 - Updated: 2026-05-02 03:25Summary
Red Hat Security Advisory: Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.10.2
Severity
Important
Notes
Topic: Assisted installer RHEL 9 components for the multicluster engine for Kubernetes 2.10.2 General Availability release, with updates to container images.
Details: Assisted Installer RHEL 9 integrates components for the general multicluster engine
for Kubernetes 2.10.2 release that simplify the process of deploying OpenShift Container
Platform clusters.
The multicluster engine for Kubernetes provides the foundational components
that are necessary for the centralized management of multiple
Kubernetes-based clusters across data centers, public clouds, and private
clouds.
You can use the engine to create new Red Hat OpenShift Container Platform
clusters, or to import existing Kubernetes-based clusters for management.
After the clusters are managed, you can use the APIs that
are provided by the engine to distribute configuration based on placement
policy.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. The credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace. The affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected. This issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode. Successful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters.
6.1 (Medium)
Vendor Fix
For more information about Assisted Installer, see the following documentation:
https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.15/html/clusters/cluster_mce_overview#cim-intro
For multicluster engine for Kubernetes, see the following documentation for
details on how to install the images:
https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.15/html/clusters/cluster_mce_overview#mce-install-intro
This documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.15.
https://access.redhat.com/errata/RHSA-2026:12116
A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.
9.1 (Critical)
Vendor Fix
For more information about Assisted Installer, see the following documentation:
https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.15/html/clusters/cluster_mce_overview#cim-intro
For multicluster engine for Kubernetes, see the following documentation for
details on how to install the images:
https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.15/html/clusters/cluster_mce_overview#mce-install-intro
This documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.15.
https://access.redhat.com/errata/RHSA-2026:12116
Workaround
To mitigate this issue, implement infrastructure-level normalization to ensure all incoming HTTP/2 `:path` headers are properly formatted with a leading slash before reaching the gRPC-Go server. This can be achieved by configuring a reverse proxy or API gateway to validate and normalize the `:path` header. Ensure that any such intermediary is properly configured and restarted to apply the changes, which may temporarily impact service availability.
A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.
7.5 (High)
Vendor Fix
For more information about Assisted Installer, see the following documentation:
https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.15/html/clusters/cluster_mce_overview#cim-intro
For multicluster engine for Kubernetes, see the following documentation for
details on how to install the images:
https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.15/html/clusters/cluster_mce_overview#mce-install-intro
This documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.15.
https://access.redhat.com/errata/RHSA-2026:12116
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
References
Acknowledgments
Red Hat
Omer Vishlitzky
Nick Carboni
Riccardo Piccoli
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Assisted installer RHEL 9 components for the multicluster engine for Kubernetes 2.10.2 General Availability release, with updates to container images.",
"title": "Topic"
},
{
"category": "general",
"text": "Assisted Installer RHEL 9 integrates components for the general multicluster engine\nfor Kubernetes 2.10.2 release that simplify the process of deploying OpenShift Container\nPlatform clusters.\n\nThe multicluster engine for Kubernetes provides the foundational components\nthat are necessary for the centralized management of multiple\nKubernetes-based clusters across data centers, public clouds, and private\nclouds.\n\nYou can use the engine to create new Red Hat OpenShift Container Platform\nclusters, or to import existing Kubernetes-based clusters for management.\n\nAfter the clusters are managed, you can use the APIs that\nare provided by the engine to distribute configuration based on placement\npolicy.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:12116",
"url": "https://access.redhat.com/errata/RHSA-2026:12116"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-7163",
"url": "https://access.redhat.com/security/cve/CVE-2026-7163"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33186",
"url": "https://access.redhat.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-34986",
"url": "https://access.redhat.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_12116.json"
}
],
"title": "Red Hat Security Advisory: Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.10.2",
"tracking": {
"current_release_date": "2026-05-02T03:25:57+00:00",
"generator": {
"date": "2026-05-02T03:25:57+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2026:12116",
"initial_release_date": "2026-04-30T06:52:26+00:00",
"revision_history": [
{
"date": "2026-04-30T06:52:26+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-30T14:47:48+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-02T03:25:57+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "multicluster engine for Kubernetes 2.1",
"product": {
"name": "multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:multicluster_engine:2.10::el9"
}
}
}
],
"category": "product_family",
"name": "multicluster engine for Kubernetes"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:786b3e50adeca379bf6e1a8ceeddc8bef235dfdbacc1caa77d0c1903c1069569_amd64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:786b3e50adeca379bf6e1a8ceeddc8bef235dfdbacc1caa77d0c1903c1069569_amd64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:786b3e50adeca379bf6e1a8ceeddc8bef235dfdbacc1caa77d0c1903c1069569_amd64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-image-service-rhel9@sha256%3A786b3e50adeca379bf6e1a8ceeddc8bef235dfdbacc1caa77d0c1903c1069569?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1773487346"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:7a73a376c4cca97ac7e80feade1fc2e652a31982967da489000c86fe810ab823_amd64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:7a73a376c4cca97ac7e80feade1fc2e652a31982967da489000c86fe810ab823_amd64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:7a73a376c4cca97ac7e80feade1fc2e652a31982967da489000c86fe810ab823_amd64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-rhel9@sha256%3A7a73a376c4cca97ac7e80feade1fc2e652a31982967da489000c86fe810ab823?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1776949906"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:57d6348d03788f7776f78f1ef75cf2cca02a3cfc9a562dd2d34ec00c30c3b25d_amd64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:57d6348d03788f7776f78f1ef75cf2cca02a3cfc9a562dd2d34ec00c30c3b25d_amd64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:57d6348d03788f7776f78f1ef75cf2cca02a3cfc9a562dd2d34ec00c30c3b25d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-agent-rhel9@sha256%3A57d6348d03788f7776f78f1ef75cf2cca02a3cfc9a562dd2d34ec00c30c3b25d?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1776351169"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:52b698386cf12b8423f3af3e27f25455e5bf248b8ed3b2713eca37ed64a78c2a_amd64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:52b698386cf12b8423f3af3e27f25455e5bf248b8ed3b2713eca37ed64a78c2a_amd64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:52b698386cf12b8423f3af3e27f25455e5bf248b8ed3b2713eca37ed64a78c2a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-controller-rhel9@sha256%3A52b698386cf12b8423f3af3e27f25455e5bf248b8ed3b2713eca37ed64a78c2a?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1776949909"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:73f20e3ce70608c606eeddc39e8dbd08747d0d27b4d6d84aaeddff8b32aaa3a8_amd64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:73f20e3ce70608c606eeddc39e8dbd08747d0d27b4d6d84aaeddff8b32aaa3a8_amd64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:73f20e3ce70608c606eeddc39e8dbd08747d0d27b4d6d84aaeddff8b32aaa3a8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-service-9-rhel9@sha256%3A73f20e3ce70608c606eeddc39e8dbd08747d0d27b4d6d84aaeddff8b32aaa3a8?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1776983527"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:f11864d3c913d54cbbfdffdf2dd138c8fb43998128d1319cf29c4c731f2f2c73_arm64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:f11864d3c913d54cbbfdffdf2dd138c8fb43998128d1319cf29c4c731f2f2c73_arm64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:f11864d3c913d54cbbfdffdf2dd138c8fb43998128d1319cf29c4c731f2f2c73_arm64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-image-service-rhel9@sha256%3Af11864d3c913d54cbbfdffdf2dd138c8fb43998128d1319cf29c4c731f2f2c73?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1773487346"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:6d7a77accd0f6c9eb52245c5f5b461be4522e251f35e90aec52b0f29ea81873a_arm64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:6d7a77accd0f6c9eb52245c5f5b461be4522e251f35e90aec52b0f29ea81873a_arm64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:6d7a77accd0f6c9eb52245c5f5b461be4522e251f35e90aec52b0f29ea81873a_arm64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-rhel9@sha256%3A6d7a77accd0f6c9eb52245c5f5b461be4522e251f35e90aec52b0f29ea81873a?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1776949906"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2015da323dfa9350f4192cce4d835c6a156041ebb8f13e3974e86cd8a0ac1114_arm64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2015da323dfa9350f4192cce4d835c6a156041ebb8f13e3974e86cd8a0ac1114_arm64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2015da323dfa9350f4192cce4d835c6a156041ebb8f13e3974e86cd8a0ac1114_arm64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-agent-rhel9@sha256%3A2015da323dfa9350f4192cce4d835c6a156041ebb8f13e3974e86cd8a0ac1114?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1776351169"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:085d4698e4eb08202f1f9f1e6a85a3b0251a5d185ca9c9f4b77612640dd4fb54_arm64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:085d4698e4eb08202f1f9f1e6a85a3b0251a5d185ca9c9f4b77612640dd4fb54_arm64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:085d4698e4eb08202f1f9f1e6a85a3b0251a5d185ca9c9f4b77612640dd4fb54_arm64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-controller-rhel9@sha256%3A085d4698e4eb08202f1f9f1e6a85a3b0251a5d185ca9c9f4b77612640dd4fb54?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1776949909"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:3774f8be3f1a4ca6a46aa3aba3ed6135dcd90ef0985f9b16e46b8b00e92f8e17_arm64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:3774f8be3f1a4ca6a46aa3aba3ed6135dcd90ef0985f9b16e46b8b00e92f8e17_arm64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:3774f8be3f1a4ca6a46aa3aba3ed6135dcd90ef0985f9b16e46b8b00e92f8e17_arm64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-service-9-rhel9@sha256%3A3774f8be3f1a4ca6a46aa3aba3ed6135dcd90ef0985f9b16e46b8b00e92f8e17?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1776983527"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:448b0ebba6b79d15613a0e77929c44006bced1bab7c1394e8ee50783275f082c_ppc64le",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:448b0ebba6b79d15613a0e77929c44006bced1bab7c1394e8ee50783275f082c_ppc64le",
"product_id": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:448b0ebba6b79d15613a0e77929c44006bced1bab7c1394e8ee50783275f082c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/assisted-image-service-rhel9@sha256%3A448b0ebba6b79d15613a0e77929c44006bced1bab7c1394e8ee50783275f082c?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1773487346"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:e1e9c33da21dc580cb93da748a4a22547a05b11fa33a97a744baebf26f351153_ppc64le",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:e1e9c33da21dc580cb93da748a4a22547a05b11fa33a97a744baebf26f351153_ppc64le",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:e1e9c33da21dc580cb93da748a4a22547a05b11fa33a97a744baebf26f351153_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-rhel9@sha256%3Ae1e9c33da21dc580cb93da748a4a22547a05b11fa33a97a744baebf26f351153?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1776949906"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b6327e916068ceddbce6e1e64d89d0fe6501eaf7db702fd883ddd67412e35dc6_ppc64le",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b6327e916068ceddbce6e1e64d89d0fe6501eaf7db702fd883ddd67412e35dc6_ppc64le",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b6327e916068ceddbce6e1e64d89d0fe6501eaf7db702fd883ddd67412e35dc6_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-agent-rhel9@sha256%3Ab6327e916068ceddbce6e1e64d89d0fe6501eaf7db702fd883ddd67412e35dc6?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1776351169"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f0ba1bf837f9f7f8db43b9597c49348b17f33d784129571f9f9646d5f6f4ac5c_ppc64le",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f0ba1bf837f9f7f8db43b9597c49348b17f33d784129571f9f9646d5f6f4ac5c_ppc64le",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f0ba1bf837f9f7f8db43b9597c49348b17f33d784129571f9f9646d5f6f4ac5c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-controller-rhel9@sha256%3Af0ba1bf837f9f7f8db43b9597c49348b17f33d784129571f9f9646d5f6f4ac5c?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1776949909"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:07ff3070b9860ada744508a2a1710014c23f7f44a1ac8547c8885368d79baee3_ppc64le",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:07ff3070b9860ada744508a2a1710014c23f7f44a1ac8547c8885368d79baee3_ppc64le",
"product_id": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:07ff3070b9860ada744508a2a1710014c23f7f44a1ac8547c8885368d79baee3_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/assisted-service-9-rhel9@sha256%3A07ff3070b9860ada744508a2a1710014c23f7f44a1ac8547c8885368d79baee3?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1776983527"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:3f59623b74897f179a86165b21baad080d562b3acaeb44316273078002b02219_s390x",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:3f59623b74897f179a86165b21baad080d562b3acaeb44316273078002b02219_s390x",
"product_id": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:3f59623b74897f179a86165b21baad080d562b3acaeb44316273078002b02219_s390x",
"product_identification_helper": {
"purl": "pkg:oci/assisted-image-service-rhel9@sha256%3A3f59623b74897f179a86165b21baad080d562b3acaeb44316273078002b02219?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1773487346"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a12f7d2451e297af33630d51d94b2ecba37747e50a33f7cbb7f5c267e63e7258_s390x",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a12f7d2451e297af33630d51d94b2ecba37747e50a33f7cbb7f5c267e63e7258_s390x",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a12f7d2451e297af33630d51d94b2ecba37747e50a33f7cbb7f5c267e63e7258_s390x",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-rhel9@sha256%3Aa12f7d2451e297af33630d51d94b2ecba37747e50a33f7cbb7f5c267e63e7258?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1776949906"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:bfe5610b8d03fc7a9130d5e7b6dc7a9ac63903e2a21103ecc4d0ff1419eedc74_s390x",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:bfe5610b8d03fc7a9130d5e7b6dc7a9ac63903e2a21103ecc4d0ff1419eedc74_s390x",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:bfe5610b8d03fc7a9130d5e7b6dc7a9ac63903e2a21103ecc4d0ff1419eedc74_s390x",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-agent-rhel9@sha256%3Abfe5610b8d03fc7a9130d5e7b6dc7a9ac63903e2a21103ecc4d0ff1419eedc74?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1776351169"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:12c01eb1e7b49ed43c86679afeecfef474dcb2dda051da83df825150fe910b6f_s390x",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:12c01eb1e7b49ed43c86679afeecfef474dcb2dda051da83df825150fe910b6f_s390x",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:12c01eb1e7b49ed43c86679afeecfef474dcb2dda051da83df825150fe910b6f_s390x",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-controller-rhel9@sha256%3A12c01eb1e7b49ed43c86679afeecfef474dcb2dda051da83df825150fe910b6f?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1776949909"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:fe73f932f408abfa6bed69664b73af371bb2a58e94a5da43491a65eeee774252_s390x",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:fe73f932f408abfa6bed69664b73af371bb2a58e94a5da43491a65eeee774252_s390x",
"product_id": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:fe73f932f408abfa6bed69664b73af371bb2a58e94a5da43491a65eeee774252_s390x",
"product_identification_helper": {
"purl": "pkg:oci/assisted-service-9-rhel9@sha256%3Afe73f932f408abfa6bed69664b73af371bb2a58e94a5da43491a65eeee774252?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1776983527"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:3f59623b74897f179a86165b21baad080d562b3acaeb44316273078002b02219_s390x as a component of multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:3f59623b74897f179a86165b21baad080d562b3acaeb44316273078002b02219_s390x"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:3f59623b74897f179a86165b21baad080d562b3acaeb44316273078002b02219_s390x",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:448b0ebba6b79d15613a0e77929c44006bced1bab7c1394e8ee50783275f082c_ppc64le as a component of multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:448b0ebba6b79d15613a0e77929c44006bced1bab7c1394e8ee50783275f082c_ppc64le"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:448b0ebba6b79d15613a0e77929c44006bced1bab7c1394e8ee50783275f082c_ppc64le",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:786b3e50adeca379bf6e1a8ceeddc8bef235dfdbacc1caa77d0c1903c1069569_amd64 as a component of multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:786b3e50adeca379bf6e1a8ceeddc8bef235dfdbacc1caa77d0c1903c1069569_amd64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:786b3e50adeca379bf6e1a8ceeddc8bef235dfdbacc1caa77d0c1903c1069569_amd64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:f11864d3c913d54cbbfdffdf2dd138c8fb43998128d1319cf29c4c731f2f2c73_arm64 as a component of multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:f11864d3c913d54cbbfdffdf2dd138c8fb43998128d1319cf29c4c731f2f2c73_arm64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:f11864d3c913d54cbbfdffdf2dd138c8fb43998128d1319cf29c4c731f2f2c73_arm64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2015da323dfa9350f4192cce4d835c6a156041ebb8f13e3974e86cd8a0ac1114_arm64 as a component of multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2015da323dfa9350f4192cce4d835c6a156041ebb8f13e3974e86cd8a0ac1114_arm64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2015da323dfa9350f4192cce4d835c6a156041ebb8f13e3974e86cd8a0ac1114_arm64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:57d6348d03788f7776f78f1ef75cf2cca02a3cfc9a562dd2d34ec00c30c3b25d_amd64 as a component of multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:57d6348d03788f7776f78f1ef75cf2cca02a3cfc9a562dd2d34ec00c30c3b25d_amd64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:57d6348d03788f7776f78f1ef75cf2cca02a3cfc9a562dd2d34ec00c30c3b25d_amd64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b6327e916068ceddbce6e1e64d89d0fe6501eaf7db702fd883ddd67412e35dc6_ppc64le as a component of multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b6327e916068ceddbce6e1e64d89d0fe6501eaf7db702fd883ddd67412e35dc6_ppc64le"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b6327e916068ceddbce6e1e64d89d0fe6501eaf7db702fd883ddd67412e35dc6_ppc64le",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:bfe5610b8d03fc7a9130d5e7b6dc7a9ac63903e2a21103ecc4d0ff1419eedc74_s390x as a component of multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:bfe5610b8d03fc7a9130d5e7b6dc7a9ac63903e2a21103ecc4d0ff1419eedc74_s390x"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:bfe5610b8d03fc7a9130d5e7b6dc7a9ac63903e2a21103ecc4d0ff1419eedc74_s390x",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:085d4698e4eb08202f1f9f1e6a85a3b0251a5d185ca9c9f4b77612640dd4fb54_arm64 as a component of multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:085d4698e4eb08202f1f9f1e6a85a3b0251a5d185ca9c9f4b77612640dd4fb54_arm64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:085d4698e4eb08202f1f9f1e6a85a3b0251a5d185ca9c9f4b77612640dd4fb54_arm64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:12c01eb1e7b49ed43c86679afeecfef474dcb2dda051da83df825150fe910b6f_s390x as a component of multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:12c01eb1e7b49ed43c86679afeecfef474dcb2dda051da83df825150fe910b6f_s390x"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:12c01eb1e7b49ed43c86679afeecfef474dcb2dda051da83df825150fe910b6f_s390x",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:52b698386cf12b8423f3af3e27f25455e5bf248b8ed3b2713eca37ed64a78c2a_amd64 as a component of multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:52b698386cf12b8423f3af3e27f25455e5bf248b8ed3b2713eca37ed64a78c2a_amd64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:52b698386cf12b8423f3af3e27f25455e5bf248b8ed3b2713eca37ed64a78c2a_amd64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f0ba1bf837f9f7f8db43b9597c49348b17f33d784129571f9f9646d5f6f4ac5c_ppc64le as a component of multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f0ba1bf837f9f7f8db43b9597c49348b17f33d784129571f9f9646d5f6f4ac5c_ppc64le"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f0ba1bf837f9f7f8db43b9597c49348b17f33d784129571f9f9646d5f6f4ac5c_ppc64le",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:6d7a77accd0f6c9eb52245c5f5b461be4522e251f35e90aec52b0f29ea81873a_arm64 as a component of multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:6d7a77accd0f6c9eb52245c5f5b461be4522e251f35e90aec52b0f29ea81873a_arm64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:6d7a77accd0f6c9eb52245c5f5b461be4522e251f35e90aec52b0f29ea81873a_arm64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:7a73a376c4cca97ac7e80feade1fc2e652a31982967da489000c86fe810ab823_amd64 as a component of multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:7a73a376c4cca97ac7e80feade1fc2e652a31982967da489000c86fe810ab823_amd64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:7a73a376c4cca97ac7e80feade1fc2e652a31982967da489000c86fe810ab823_amd64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a12f7d2451e297af33630d51d94b2ecba37747e50a33f7cbb7f5c267e63e7258_s390x as a component of multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a12f7d2451e297af33630d51d94b2ecba37747e50a33f7cbb7f5c267e63e7258_s390x"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a12f7d2451e297af33630d51d94b2ecba37747e50a33f7cbb7f5c267e63e7258_s390x",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:e1e9c33da21dc580cb93da748a4a22547a05b11fa33a97a744baebf26f351153_ppc64le as a component of multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:e1e9c33da21dc580cb93da748a4a22547a05b11fa33a97a744baebf26f351153_ppc64le"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:e1e9c33da21dc580cb93da748a4a22547a05b11fa33a97a744baebf26f351153_ppc64le",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:07ff3070b9860ada744508a2a1710014c23f7f44a1ac8547c8885368d79baee3_ppc64le as a component of multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:07ff3070b9860ada744508a2a1710014c23f7f44a1ac8547c8885368d79baee3_ppc64le"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:07ff3070b9860ada744508a2a1710014c23f7f44a1ac8547c8885368d79baee3_ppc64le",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:3774f8be3f1a4ca6a46aa3aba3ed6135dcd90ef0985f9b16e46b8b00e92f8e17_arm64 as a component of multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:3774f8be3f1a4ca6a46aa3aba3ed6135dcd90ef0985f9b16e46b8b00e92f8e17_arm64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:3774f8be3f1a4ca6a46aa3aba3ed6135dcd90ef0985f9b16e46b8b00e92f8e17_arm64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:73f20e3ce70608c606eeddc39e8dbd08747d0d27b4d6d84aaeddff8b32aaa3a8_amd64 as a component of multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:73f20e3ce70608c606eeddc39e8dbd08747d0d27b4d6d84aaeddff8b32aaa3a8_amd64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:73f20e3ce70608c606eeddc39e8dbd08747d0d27b4d6d84aaeddff8b32aaa3a8_amd64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:fe73f932f408abfa6bed69664b73af371bb2a58e94a5da43491a65eeee774252_s390x as a component of multicluster engine for Kubernetes 2.1",
"product_id": "multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:fe73f932f408abfa6bed69664b73af371bb2a58e94a5da43491a65eeee774252_s390x"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:fe73f932f408abfa6bed69664b73af371bb2a58e94a5da43491a65eeee774252_s390x",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.1"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Omer Vishlitzky",
"Nick Carboni",
"Riccardo Piccoli"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2026-7163",
"cwe": {
"id": "CWE-312",
"name": "Cleartext Storage of Sensitive Information"
},
"discovery_date": "2026-04-27T04:18:06.534000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:3f59623b74897f179a86165b21baad080d562b3acaeb44316273078002b02219_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:448b0ebba6b79d15613a0e77929c44006bced1bab7c1394e8ee50783275f082c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:786b3e50adeca379bf6e1a8ceeddc8bef235dfdbacc1caa77d0c1903c1069569_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:f11864d3c913d54cbbfdffdf2dd138c8fb43998128d1319cf29c4c731f2f2c73_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2015da323dfa9350f4192cce4d835c6a156041ebb8f13e3974e86cd8a0ac1114_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:57d6348d03788f7776f78f1ef75cf2cca02a3cfc9a562dd2d34ec00c30c3b25d_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b6327e916068ceddbce6e1e64d89d0fe6501eaf7db702fd883ddd67412e35dc6_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:bfe5610b8d03fc7a9130d5e7b6dc7a9ac63903e2a21103ecc4d0ff1419eedc74_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:085d4698e4eb08202f1f9f1e6a85a3b0251a5d185ca9c9f4b77612640dd4fb54_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:12c01eb1e7b49ed43c86679afeecfef474dcb2dda051da83df825150fe910b6f_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:52b698386cf12b8423f3af3e27f25455e5bf248b8ed3b2713eca37ed64a78c2a_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f0ba1bf837f9f7f8db43b9597c49348b17f33d784129571f9f9646d5f6f4ac5c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:6d7a77accd0f6c9eb52245c5f5b461be4522e251f35e90aec52b0f29ea81873a_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:7a73a376c4cca97ac7e80feade1fc2e652a31982967da489000c86fe810ab823_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a12f7d2451e297af33630d51d94b2ecba37747e50a33f7cbb7f5c267e63e7258_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:e1e9c33da21dc580cb93da748a4a22547a05b11fa33a97a744baebf26f351153_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2463152"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. \n\nThe credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace.\n\nThe affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected.\nThis issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode.\n\nSuccessful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "assisted-service: assisted-service: Authenticated users can gain administrative access to OpenShift clusters via credential disclosure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:07ff3070b9860ada744508a2a1710014c23f7f44a1ac8547c8885368d79baee3_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:3774f8be3f1a4ca6a46aa3aba3ed6135dcd90ef0985f9b16e46b8b00e92f8e17_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:73f20e3ce70608c606eeddc39e8dbd08747d0d27b4d6d84aaeddff8b32aaa3a8_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:fe73f932f408abfa6bed69664b73af371bb2a58e94a5da43491a65eeee774252_s390x"
],
"known_not_affected": [
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:3f59623b74897f179a86165b21baad080d562b3acaeb44316273078002b02219_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:448b0ebba6b79d15613a0e77929c44006bced1bab7c1394e8ee50783275f082c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:786b3e50adeca379bf6e1a8ceeddc8bef235dfdbacc1caa77d0c1903c1069569_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:f11864d3c913d54cbbfdffdf2dd138c8fb43998128d1319cf29c4c731f2f2c73_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2015da323dfa9350f4192cce4d835c6a156041ebb8f13e3974e86cd8a0ac1114_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:57d6348d03788f7776f78f1ef75cf2cca02a3cfc9a562dd2d34ec00c30c3b25d_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b6327e916068ceddbce6e1e64d89d0fe6501eaf7db702fd883ddd67412e35dc6_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:bfe5610b8d03fc7a9130d5e7b6dc7a9ac63903e2a21103ecc4d0ff1419eedc74_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:085d4698e4eb08202f1f9f1e6a85a3b0251a5d185ca9c9f4b77612640dd4fb54_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:12c01eb1e7b49ed43c86679afeecfef474dcb2dda051da83df825150fe910b6f_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:52b698386cf12b8423f3af3e27f25455e5bf248b8ed3b2713eca37ed64a78c2a_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f0ba1bf837f9f7f8db43b9597c49348b17f33d784129571f9f9646d5f6f4ac5c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:6d7a77accd0f6c9eb52245c5f5b461be4522e251f35e90aec52b0f29ea81873a_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:7a73a376c4cca97ac7e80feade1fc2e652a31982967da489000c86fe810ab823_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a12f7d2451e297af33630d51d94b2ecba37747e50a33f7cbb7f5c267e63e7258_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:e1e9c33da21dc580cb93da748a4a22547a05b11fa33a97a744baebf26f351153_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-7163"
},
{
"category": "external",
"summary": "RHBZ#2463152",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463152"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-7163",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7163"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7163",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7163"
}
],
"release_date": "2026-04-30T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-30T06:52:26+00:00",
"details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.15/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.15/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.15.",
"product_ids": [
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:07ff3070b9860ada744508a2a1710014c23f7f44a1ac8547c8885368d79baee3_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:3774f8be3f1a4ca6a46aa3aba3ed6135dcd90ef0985f9b16e46b8b00e92f8e17_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:73f20e3ce70608c606eeddc39e8dbd08747d0d27b4d6d84aaeddff8b32aaa3a8_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:fe73f932f408abfa6bed69664b73af371bb2a58e94a5da43491a65eeee774252_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:12116"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:3f59623b74897f179a86165b21baad080d562b3acaeb44316273078002b02219_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:448b0ebba6b79d15613a0e77929c44006bced1bab7c1394e8ee50783275f082c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:786b3e50adeca379bf6e1a8ceeddc8bef235dfdbacc1caa77d0c1903c1069569_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:f11864d3c913d54cbbfdffdf2dd138c8fb43998128d1319cf29c4c731f2f2c73_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2015da323dfa9350f4192cce4d835c6a156041ebb8f13e3974e86cd8a0ac1114_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:57d6348d03788f7776f78f1ef75cf2cca02a3cfc9a562dd2d34ec00c30c3b25d_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b6327e916068ceddbce6e1e64d89d0fe6501eaf7db702fd883ddd67412e35dc6_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:bfe5610b8d03fc7a9130d5e7b6dc7a9ac63903e2a21103ecc4d0ff1419eedc74_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:085d4698e4eb08202f1f9f1e6a85a3b0251a5d185ca9c9f4b77612640dd4fb54_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:12c01eb1e7b49ed43c86679afeecfef474dcb2dda051da83df825150fe910b6f_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:52b698386cf12b8423f3af3e27f25455e5bf248b8ed3b2713eca37ed64a78c2a_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f0ba1bf837f9f7f8db43b9597c49348b17f33d784129571f9f9646d5f6f4ac5c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:6d7a77accd0f6c9eb52245c5f5b461be4522e251f35e90aec52b0f29ea81873a_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:7a73a376c4cca97ac7e80feade1fc2e652a31982967da489000c86fe810ab823_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a12f7d2451e297af33630d51d94b2ecba37747e50a33f7cbb7f5c267e63e7258_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:e1e9c33da21dc580cb93da748a4a22547a05b11fa33a97a744baebf26f351153_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:07ff3070b9860ada744508a2a1710014c23f7f44a1ac8547c8885368d79baee3_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:3774f8be3f1a4ca6a46aa3aba3ed6135dcd90ef0985f9b16e46b8b00e92f8e17_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:73f20e3ce70608c606eeddc39e8dbd08747d0d27b4d6d84aaeddff8b32aaa3a8_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:fe73f932f408abfa6bed69664b73af371bb2a58e94a5da43491a65eeee774252_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "assisted-service: assisted-service: Authenticated users can gain administrative access to OpenShift clusters via credential disclosure"
},
{
"cve": "CVE-2026-33186",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-03-20T23:02:27.802640+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:3f59623b74897f179a86165b21baad080d562b3acaeb44316273078002b02219_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:448b0ebba6b79d15613a0e77929c44006bced1bab7c1394e8ee50783275f082c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:786b3e50adeca379bf6e1a8ceeddc8bef235dfdbacc1caa77d0c1903c1069569_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:f11864d3c913d54cbbfdffdf2dd138c8fb43998128d1319cf29c4c731f2f2c73_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2015da323dfa9350f4192cce4d835c6a156041ebb8f13e3974e86cd8a0ac1114_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:57d6348d03788f7776f78f1ef75cf2cca02a3cfc9a562dd2d34ec00c30c3b25d_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b6327e916068ceddbce6e1e64d89d0fe6501eaf7db702fd883ddd67412e35dc6_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:bfe5610b8d03fc7a9130d5e7b6dc7a9ac63903e2a21103ecc4d0ff1419eedc74_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:07ff3070b9860ada744508a2a1710014c23f7f44a1ac8547c8885368d79baee3_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:3774f8be3f1a4ca6a46aa3aba3ed6135dcd90ef0985f9b16e46b8b00e92f8e17_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:73f20e3ce70608c606eeddc39e8dbd08747d0d27b4d6d84aaeddff8b32aaa3a8_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:fe73f932f408abfa6bed69664b73af371bb2a58e94a5da43491a65eeee774252_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2449833"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:085d4698e4eb08202f1f9f1e6a85a3b0251a5d185ca9c9f4b77612640dd4fb54_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:12c01eb1e7b49ed43c86679afeecfef474dcb2dda051da83df825150fe910b6f_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:52b698386cf12b8423f3af3e27f25455e5bf248b8ed3b2713eca37ed64a78c2a_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f0ba1bf837f9f7f8db43b9597c49348b17f33d784129571f9f9646d5f6f4ac5c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:6d7a77accd0f6c9eb52245c5f5b461be4522e251f35e90aec52b0f29ea81873a_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:7a73a376c4cca97ac7e80feade1fc2e652a31982967da489000c86fe810ab823_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a12f7d2451e297af33630d51d94b2ecba37747e50a33f7cbb7f5c267e63e7258_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:e1e9c33da21dc580cb93da748a4a22547a05b11fa33a97a744baebf26f351153_ppc64le"
],
"known_not_affected": [
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:3f59623b74897f179a86165b21baad080d562b3acaeb44316273078002b02219_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:448b0ebba6b79d15613a0e77929c44006bced1bab7c1394e8ee50783275f082c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:786b3e50adeca379bf6e1a8ceeddc8bef235dfdbacc1caa77d0c1903c1069569_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:f11864d3c913d54cbbfdffdf2dd138c8fb43998128d1319cf29c4c731f2f2c73_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2015da323dfa9350f4192cce4d835c6a156041ebb8f13e3974e86cd8a0ac1114_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:57d6348d03788f7776f78f1ef75cf2cca02a3cfc9a562dd2d34ec00c30c3b25d_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b6327e916068ceddbce6e1e64d89d0fe6501eaf7db702fd883ddd67412e35dc6_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:bfe5610b8d03fc7a9130d5e7b6dc7a9ac63903e2a21103ecc4d0ff1419eedc74_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:07ff3070b9860ada744508a2a1710014c23f7f44a1ac8547c8885368d79baee3_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:3774f8be3f1a4ca6a46aa3aba3ed6135dcd90ef0985f9b16e46b8b00e92f8e17_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:73f20e3ce70608c606eeddc39e8dbd08747d0d27b4d6d84aaeddff8b32aaa3a8_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:fe73f932f408abfa6bed69664b73af371bb2a58e94a5da43491a65eeee774252_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "RHBZ#2449833",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449833"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33186",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33186"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
},
{
"category": "external",
"summary": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3",
"url": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3"
}
],
"release_date": "2026-03-20T22:23:32.147000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-30T06:52:26+00:00",
"details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.15/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.15/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.15.",
"product_ids": [
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:085d4698e4eb08202f1f9f1e6a85a3b0251a5d185ca9c9f4b77612640dd4fb54_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:12c01eb1e7b49ed43c86679afeecfef474dcb2dda051da83df825150fe910b6f_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:52b698386cf12b8423f3af3e27f25455e5bf248b8ed3b2713eca37ed64a78c2a_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f0ba1bf837f9f7f8db43b9597c49348b17f33d784129571f9f9646d5f6f4ac5c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:6d7a77accd0f6c9eb52245c5f5b461be4522e251f35e90aec52b0f29ea81873a_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:7a73a376c4cca97ac7e80feade1fc2e652a31982967da489000c86fe810ab823_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a12f7d2451e297af33630d51d94b2ecba37747e50a33f7cbb7f5c267e63e7258_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:e1e9c33da21dc580cb93da748a4a22547a05b11fa33a97a744baebf26f351153_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:12116"
},
{
"category": "workaround",
"details": "To mitigate this issue, implement infrastructure-level normalization to ensure all incoming HTTP/2 `:path` headers are properly formatted with a leading slash before reaching the gRPC-Go server. This can be achieved by configuring a reverse proxy or API gateway to validate and normalize the `:path` header. Ensure that any such intermediary is properly configured and restarted to apply the changes, which may temporarily impact service availability.",
"product_ids": [
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:3f59623b74897f179a86165b21baad080d562b3acaeb44316273078002b02219_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:448b0ebba6b79d15613a0e77929c44006bced1bab7c1394e8ee50783275f082c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:786b3e50adeca379bf6e1a8ceeddc8bef235dfdbacc1caa77d0c1903c1069569_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:f11864d3c913d54cbbfdffdf2dd138c8fb43998128d1319cf29c4c731f2f2c73_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2015da323dfa9350f4192cce4d835c6a156041ebb8f13e3974e86cd8a0ac1114_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:57d6348d03788f7776f78f1ef75cf2cca02a3cfc9a562dd2d34ec00c30c3b25d_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b6327e916068ceddbce6e1e64d89d0fe6501eaf7db702fd883ddd67412e35dc6_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:bfe5610b8d03fc7a9130d5e7b6dc7a9ac63903e2a21103ecc4d0ff1419eedc74_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:085d4698e4eb08202f1f9f1e6a85a3b0251a5d185ca9c9f4b77612640dd4fb54_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:12c01eb1e7b49ed43c86679afeecfef474dcb2dda051da83df825150fe910b6f_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:52b698386cf12b8423f3af3e27f25455e5bf248b8ed3b2713eca37ed64a78c2a_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f0ba1bf837f9f7f8db43b9597c49348b17f33d784129571f9f9646d5f6f4ac5c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:6d7a77accd0f6c9eb52245c5f5b461be4522e251f35e90aec52b0f29ea81873a_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:7a73a376c4cca97ac7e80feade1fc2e652a31982967da489000c86fe810ab823_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a12f7d2451e297af33630d51d94b2ecba37747e50a33f7cbb7f5c267e63e7258_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:e1e9c33da21dc580cb93da748a4a22547a05b11fa33a97a744baebf26f351153_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:07ff3070b9860ada744508a2a1710014c23f7f44a1ac8547c8885368d79baee3_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:3774f8be3f1a4ca6a46aa3aba3ed6135dcd90ef0985f9b16e46b8b00e92f8e17_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:73f20e3ce70608c606eeddc39e8dbd08747d0d27b4d6d84aaeddff8b32aaa3a8_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:fe73f932f408abfa6bed69664b73af371bb2a58e94a5da43491a65eeee774252_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:3f59623b74897f179a86165b21baad080d562b3acaeb44316273078002b02219_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:448b0ebba6b79d15613a0e77929c44006bced1bab7c1394e8ee50783275f082c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:786b3e50adeca379bf6e1a8ceeddc8bef235dfdbacc1caa77d0c1903c1069569_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:f11864d3c913d54cbbfdffdf2dd138c8fb43998128d1319cf29c4c731f2f2c73_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2015da323dfa9350f4192cce4d835c6a156041ebb8f13e3974e86cd8a0ac1114_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:57d6348d03788f7776f78f1ef75cf2cca02a3cfc9a562dd2d34ec00c30c3b25d_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b6327e916068ceddbce6e1e64d89d0fe6501eaf7db702fd883ddd67412e35dc6_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:bfe5610b8d03fc7a9130d5e7b6dc7a9ac63903e2a21103ecc4d0ff1419eedc74_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:085d4698e4eb08202f1f9f1e6a85a3b0251a5d185ca9c9f4b77612640dd4fb54_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:12c01eb1e7b49ed43c86679afeecfef474dcb2dda051da83df825150fe910b6f_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:52b698386cf12b8423f3af3e27f25455e5bf248b8ed3b2713eca37ed64a78c2a_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f0ba1bf837f9f7f8db43b9597c49348b17f33d784129571f9f9646d5f6f4ac5c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:6d7a77accd0f6c9eb52245c5f5b461be4522e251f35e90aec52b0f29ea81873a_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:7a73a376c4cca97ac7e80feade1fc2e652a31982967da489000c86fe810ab823_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a12f7d2451e297af33630d51d94b2ecba37747e50a33f7cbb7f5c267e63e7258_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:e1e9c33da21dc580cb93da748a4a22547a05b11fa33a97a744baebf26f351153_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:07ff3070b9860ada744508a2a1710014c23f7f44a1ac8547c8885368d79baee3_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:3774f8be3f1a4ca6a46aa3aba3ed6135dcd90ef0985f9b16e46b8b00e92f8e17_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:73f20e3ce70608c606eeddc39e8dbd08747d0d27b4d6d84aaeddff8b32aaa3a8_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:fe73f932f408abfa6bed69664b73af371bb2a58e94a5da43491a65eeee774252_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation"
},
{
"cve": "CVE-2026-34986",
"cwe": {
"id": "CWE-131",
"name": "Incorrect Calculation of Buffer Size"
},
"discovery_date": "2026-04-06T17:01:34.639203+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:3f59623b74897f179a86165b21baad080d562b3acaeb44316273078002b02219_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:448b0ebba6b79d15613a0e77929c44006bced1bab7c1394e8ee50783275f082c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:786b3e50adeca379bf6e1a8ceeddc8bef235dfdbacc1caa77d0c1903c1069569_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:f11864d3c913d54cbbfdffdf2dd138c8fb43998128d1319cf29c4c731f2f2c73_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:085d4698e4eb08202f1f9f1e6a85a3b0251a5d185ca9c9f4b77612640dd4fb54_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:12c01eb1e7b49ed43c86679afeecfef474dcb2dda051da83df825150fe910b6f_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:52b698386cf12b8423f3af3e27f25455e5bf248b8ed3b2713eca37ed64a78c2a_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f0ba1bf837f9f7f8db43b9597c49348b17f33d784129571f9f9646d5f6f4ac5c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:6d7a77accd0f6c9eb52245c5f5b461be4522e251f35e90aec52b0f29ea81873a_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:7a73a376c4cca97ac7e80feade1fc2e652a31982967da489000c86fe810ab823_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a12f7d2451e297af33630d51d94b2ecba37747e50a33f7cbb7f5c267e63e7258_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:e1e9c33da21dc580cb93da748a4a22547a05b11fa33a97a744baebf26f351153_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:07ff3070b9860ada744508a2a1710014c23f7f44a1ac8547c8885368d79baee3_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:3774f8be3f1a4ca6a46aa3aba3ed6135dcd90ef0985f9b16e46b8b00e92f8e17_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:73f20e3ce70608c606eeddc39e8dbd08747d0d27b4d6d84aaeddff8b32aaa3a8_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:fe73f932f408abfa6bed69664b73af371bb2a58e94a5da43491a65eeee774252_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455470"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2015da323dfa9350f4192cce4d835c6a156041ebb8f13e3974e86cd8a0ac1114_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:57d6348d03788f7776f78f1ef75cf2cca02a3cfc9a562dd2d34ec00c30c3b25d_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b6327e916068ceddbce6e1e64d89d0fe6501eaf7db702fd883ddd67412e35dc6_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:bfe5610b8d03fc7a9130d5e7b6dc7a9ac63903e2a21103ecc4d0ff1419eedc74_s390x"
],
"known_not_affected": [
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:3f59623b74897f179a86165b21baad080d562b3acaeb44316273078002b02219_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:448b0ebba6b79d15613a0e77929c44006bced1bab7c1394e8ee50783275f082c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:786b3e50adeca379bf6e1a8ceeddc8bef235dfdbacc1caa77d0c1903c1069569_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:f11864d3c913d54cbbfdffdf2dd138c8fb43998128d1319cf29c4c731f2f2c73_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:085d4698e4eb08202f1f9f1e6a85a3b0251a5d185ca9c9f4b77612640dd4fb54_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:12c01eb1e7b49ed43c86679afeecfef474dcb2dda051da83df825150fe910b6f_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:52b698386cf12b8423f3af3e27f25455e5bf248b8ed3b2713eca37ed64a78c2a_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f0ba1bf837f9f7f8db43b9597c49348b17f33d784129571f9f9646d5f6f4ac5c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:6d7a77accd0f6c9eb52245c5f5b461be4522e251f35e90aec52b0f29ea81873a_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:7a73a376c4cca97ac7e80feade1fc2e652a31982967da489000c86fe810ab823_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a12f7d2451e297af33630d51d94b2ecba37747e50a33f7cbb7f5c267e63e7258_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:e1e9c33da21dc580cb93da748a4a22547a05b11fa33a97a744baebf26f351153_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:07ff3070b9860ada744508a2a1710014c23f7f44a1ac8547c8885368d79baee3_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:3774f8be3f1a4ca6a46aa3aba3ed6135dcd90ef0985f9b16e46b8b00e92f8e17_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:73f20e3ce70608c606eeddc39e8dbd08747d0d27b4d6d84aaeddff8b32aaa3a8_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:fe73f932f408abfa6bed69664b73af371bb2a58e94a5da43491a65eeee774252_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "RHBZ#2455470",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-34986",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34986"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
},
{
"category": "external",
"summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
"url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
},
{
"category": "external",
"summary": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
"url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
}
],
"release_date": "2026-04-06T16:22:45.353000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-30T06:52:26+00:00",
"details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.15/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.15/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.15.",
"product_ids": [
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2015da323dfa9350f4192cce4d835c6a156041ebb8f13e3974e86cd8a0ac1114_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:57d6348d03788f7776f78f1ef75cf2cca02a3cfc9a562dd2d34ec00c30c3b25d_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b6327e916068ceddbce6e1e64d89d0fe6501eaf7db702fd883ddd67412e35dc6_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:bfe5610b8d03fc7a9130d5e7b6dc7a9ac63903e2a21103ecc4d0ff1419eedc74_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:12116"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:3f59623b74897f179a86165b21baad080d562b3acaeb44316273078002b02219_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:448b0ebba6b79d15613a0e77929c44006bced1bab7c1394e8ee50783275f082c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:786b3e50adeca379bf6e1a8ceeddc8bef235dfdbacc1caa77d0c1903c1069569_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:f11864d3c913d54cbbfdffdf2dd138c8fb43998128d1319cf29c4c731f2f2c73_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2015da323dfa9350f4192cce4d835c6a156041ebb8f13e3974e86cd8a0ac1114_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:57d6348d03788f7776f78f1ef75cf2cca02a3cfc9a562dd2d34ec00c30c3b25d_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b6327e916068ceddbce6e1e64d89d0fe6501eaf7db702fd883ddd67412e35dc6_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:bfe5610b8d03fc7a9130d5e7b6dc7a9ac63903e2a21103ecc4d0ff1419eedc74_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:085d4698e4eb08202f1f9f1e6a85a3b0251a5d185ca9c9f4b77612640dd4fb54_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:12c01eb1e7b49ed43c86679afeecfef474dcb2dda051da83df825150fe910b6f_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:52b698386cf12b8423f3af3e27f25455e5bf248b8ed3b2713eca37ed64a78c2a_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f0ba1bf837f9f7f8db43b9597c49348b17f33d784129571f9f9646d5f6f4ac5c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:6d7a77accd0f6c9eb52245c5f5b461be4522e251f35e90aec52b0f29ea81873a_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:7a73a376c4cca97ac7e80feade1fc2e652a31982967da489000c86fe810ab823_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a12f7d2451e297af33630d51d94b2ecba37747e50a33f7cbb7f5c267e63e7258_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:e1e9c33da21dc580cb93da748a4a22547a05b11fa33a97a744baebf26f351153_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:07ff3070b9860ada744508a2a1710014c23f7f44a1ac8547c8885368d79baee3_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:3774f8be3f1a4ca6a46aa3aba3ed6135dcd90ef0985f9b16e46b8b00e92f8e17_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:73f20e3ce70608c606eeddc39e8dbd08747d0d27b4d6d84aaeddff8b32aaa3a8_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:fe73f932f408abfa6bed69664b73af371bb2a58e94a5da43491a65eeee774252_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:3f59623b74897f179a86165b21baad080d562b3acaeb44316273078002b02219_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:448b0ebba6b79d15613a0e77929c44006bced1bab7c1394e8ee50783275f082c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:786b3e50adeca379bf6e1a8ceeddc8bef235dfdbacc1caa77d0c1903c1069569_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:f11864d3c913d54cbbfdffdf2dd138c8fb43998128d1319cf29c4c731f2f2c73_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2015da323dfa9350f4192cce4d835c6a156041ebb8f13e3974e86cd8a0ac1114_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:57d6348d03788f7776f78f1ef75cf2cca02a3cfc9a562dd2d34ec00c30c3b25d_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:b6327e916068ceddbce6e1e64d89d0fe6501eaf7db702fd883ddd67412e35dc6_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:bfe5610b8d03fc7a9130d5e7b6dc7a9ac63903e2a21103ecc4d0ff1419eedc74_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:085d4698e4eb08202f1f9f1e6a85a3b0251a5d185ca9c9f4b77612640dd4fb54_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:12c01eb1e7b49ed43c86679afeecfef474dcb2dda051da83df825150fe910b6f_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:52b698386cf12b8423f3af3e27f25455e5bf248b8ed3b2713eca37ed64a78c2a_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f0ba1bf837f9f7f8db43b9597c49348b17f33d784129571f9f9646d5f6f4ac5c_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:6d7a77accd0f6c9eb52245c5f5b461be4522e251f35e90aec52b0f29ea81873a_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:7a73a376c4cca97ac7e80feade1fc2e652a31982967da489000c86fe810ab823_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a12f7d2451e297af33630d51d94b2ecba37747e50a33f7cbb7f5c267e63e7258_s390x",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:e1e9c33da21dc580cb93da748a4a22547a05b11fa33a97a744baebf26f351153_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:07ff3070b9860ada744508a2a1710014c23f7f44a1ac8547c8885368d79baee3_ppc64le",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:3774f8be3f1a4ca6a46aa3aba3ed6135dcd90ef0985f9b16e46b8b00e92f8e17_arm64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:73f20e3ce70608c606eeddc39e8dbd08747d0d27b4d6d84aaeddff8b32aaa3a8_amd64",
"multicluster engine for Kubernetes 2.1:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:fe73f932f408abfa6bed69664b73af371bb2a58e94a5da43491a65eeee774252_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…