RHSA-2026:25041
Vulnerability from csaf_redhat - Published: 2026-06-10 09:42 - Updated: 2026-06-11 18:14Summary
Red Hat Security Advisory: Red Hat Migration Toolkit for Containers
Severity
Important
Notes
Topic: A new version of Migration Toolkit for Containers (MTC) is now available.
Details: The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A denial of service flaw has been discovered in the Axios npm package. the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in Axios, a promise-based HTTP client. This vulnerability, known as Prototype Pollution, can be exploited through a specific "Gadget" attack chain. This allows an attacker to escalate a Prototype Pollution vulnerability in a third-party dependency, potentially leading to remote code execution or a full cloud compromise, such as bypassing AWS IMDSv2.
9.0 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64 | — |
Vendor Fix
fix
|
Known not affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64 | — |
Threats
Impact
Important
A flaw was found in Axios, an HTTP client library. This vulnerability allows an attacker to exploit a prototype pollution issue if another part of the application has already polluted the Object.prototype. By doing so, the attacker can intercept and modify JSON responses or take control of the HTTP communication. This could lead to unauthorized access to sensitive information like user credentials and request details.
7.4 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64 | — |
Vendor Fix
fix
|
Known not affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64 | — |
Threats
Impact
Important
A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application's core object definitions are manipulated, causing Axios to misinterpret data and include attacker-controlled headers in network communications. This could lead to unauthorized actions or data manipulation.
7.4 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in Axios, a promise-based HTTP client for browsers and Node.js. This vulnerability occurs because the `toFormData` function recursively processes nested objects without a depth limit. A remote attacker can exploit this by sending deeply nested request data, which causes the Node.js process to crash due to a RangeError, leading to a potential Denial of Service (DoS) if the process crashes.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64 | — |
Vendor Fix
fix
|
Known not affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64 | — |
Threats
Impact
Important
A flaw was found in Axios, a promise-based HTTP client. This vulnerability, a Prototype Pollution "Gadget" attack, allows an attacker to manipulate the `Object.prototype.validateStatus` property. By polluting this property, all HTTP error responses (such as 401, 403, or 500) are silently treated as successful responses. This can lead to a complete bypass of application-level authentication and error handling, potentially granting unauthorized access.
8.2 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64 | — |
Vendor Fix
fix
|
Known not affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64 | — |
Threats
Impact
Important
A flaw was found in Axios, a promise-based HTTP client. An attacker who can control the destination address of an Axios request can exploit this vulnerability. By using specific internal network addresses (within the 127.0.0.0/8 range, excluding 127.0.0.1), the attacker can completely bypass the NO_PROXY protection, potentially leading to unauthorized access or information disclosure within the network. This issue is an incomplete fix for a previous vulnerability.
7.2 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64 | — |
Vendor Fix
fix
|
Known not affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64 | — | ||
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64 | — |
Threats
Impact
Important
A flaw was found in Axios, a widely used HTTP client. This vulnerability, known as a Prototype Pollution "Gadget" attack, allows a remote attacker to subtly alter JSON API responses. By manipulating a specific function, an attacker can selectively modify data within these responses. This could lead to significant security breaches, including unauthorized privilege escalation, fraudulent balance manipulation, or bypassing critical authorization checks.
7.4 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64 | — |
Workaround
|
Threats
Impact
Important
References
57 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A new version of Migration Toolkit for Containers (MTC) is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "The Migration Toolkit for Containers (MTC) enables you to migrate\nKubernetes resources, persistent volume data, and internal container images\nbetween OpenShift Container Platform clusters, using the MTC web console or\nthe Kubernetes API.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:25041",
"url": "https://access.redhat.com/errata/RHSA-2026:25041"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-25639",
"url": "https://access.redhat.com/security/cve/CVE-2026-25639"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-40175",
"url": "https://access.redhat.com/security/cve/CVE-2026-40175"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42033",
"url": "https://access.redhat.com/security/cve/CVE-2026-42033"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42035",
"url": "https://access.redhat.com/security/cve/CVE-2026-42035"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42039",
"url": "https://access.redhat.com/security/cve/CVE-2026-42039"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42041",
"url": "https://access.redhat.com/security/cve/CVE-2026-42041"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42043",
"url": "https://access.redhat.com/security/cve/CVE-2026-42043"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42044",
"url": "https://access.redhat.com/security/cve/CVE-2026-42044"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html-single/migration_toolkit_for_containers/index",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html-single/migration_toolkit_for_containers/index"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_25041.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Migration Toolkit for Containers",
"tracking": {
"current_release_date": "2026-06-11T18:14:48+00:00",
"generator": {
"date": "2026-06-11T18:14:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.2"
}
},
"id": "RHSA-2026:25041",
"initial_release_date": "2026-06-10T09:42:41+00:00",
"revision_history": [
{
"date": "2026-06-10T09:42:41+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-10T09:42:52+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-11T18:14:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Migration Toolkit 1.8",
"product": {
"name": "Red Hat Migration Toolkit 1.8",
"product_id": "Red Hat Migration Toolkit 1.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhmt:1.8::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Migration Toolkit"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"product": {
"name": "registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"product_id": "registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-controller-rhel8@sha256%3A0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-controller-rhel8\u0026tag=1780591271"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"product": {
"name": "registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"product_id": "registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-hook-runner-rhel8@sha256%3A3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8\u0026tag=1780482702"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"product": {
"name": "registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"product_id": "registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-log-reader-rhel8@sha256%3A6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8\u0026tag=1780591182"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"product": {
"name": "registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"product_id": "registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-must-gather-rhel8@sha256%3A10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8\u0026tag=1780591197"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"product": {
"name": "registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"product_id": "registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-openvpn-rhel8@sha256%3A939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8\u0026tag=1780591158"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"product": {
"name": "registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"product_id": "registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-rhel8-operator@sha256%3A2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-rhel8-operator\u0026tag=1780812090"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"product": {
"name": "registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"product_id": "registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-operator-bundle@sha256%3Ad464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-operator-bundle\u0026tag=1780812429"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"product": {
"name": "registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"product_id": "registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-registry-rhel8@sha256%3A937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-registry-rhel8\u0026tag=1780591225"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"product": {
"name": "registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"product_id": "registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-rsync-transfer-rhel8@sha256%3Aadabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8\u0026tag=1780591183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64",
"product": {
"name": "registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64",
"product_id": "registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-ui-rhel8@sha256%3Add0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-ui-rhel8\u0026tag=1780590717"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64",
"product": {
"name": "registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64",
"product_id": "registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-velero-plugin-for-mtc-rhel8@sha256%3Ad7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8\u0026tag=1780591199"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64 as a component of Red Hat Migration Toolkit 1.8",
"product_id": "Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64"
},
"product_reference": "registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"relates_to_product_reference": "Red Hat Migration Toolkit 1.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64 as a component of Red Hat Migration Toolkit 1.8",
"product_id": "Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64"
},
"product_reference": "registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"relates_to_product_reference": "Red Hat Migration Toolkit 1.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64 as a component of Red Hat Migration Toolkit 1.8",
"product_id": "Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64"
},
"product_reference": "registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"relates_to_product_reference": "Red Hat Migration Toolkit 1.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64 as a component of Red Hat Migration Toolkit 1.8",
"product_id": "Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64"
},
"product_reference": "registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"relates_to_product_reference": "Red Hat Migration Toolkit 1.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64 as a component of Red Hat Migration Toolkit 1.8",
"product_id": "Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64"
},
"product_reference": "registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"relates_to_product_reference": "Red Hat Migration Toolkit 1.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64 as a component of Red Hat Migration Toolkit 1.8",
"product_id": "Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64"
},
"product_reference": "registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"relates_to_product_reference": "Red Hat Migration Toolkit 1.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64 as a component of Red Hat Migration Toolkit 1.8",
"product_id": "Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64"
},
"product_reference": "registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"relates_to_product_reference": "Red Hat Migration Toolkit 1.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64 as a component of Red Hat Migration Toolkit 1.8",
"product_id": "Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64"
},
"product_reference": "registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"relates_to_product_reference": "Red Hat Migration Toolkit 1.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64 as a component of Red Hat Migration Toolkit 1.8",
"product_id": "Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64"
},
"product_reference": "registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"relates_to_product_reference": "Red Hat Migration Toolkit 1.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64 as a component of Red Hat Migration Toolkit 1.8",
"product_id": "Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64"
},
"product_reference": "registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64",
"relates_to_product_reference": "Red Hat Migration Toolkit 1.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64 as a component of Red Hat Migration Toolkit 1.8",
"product_id": "Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
},
"product_reference": "registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64",
"relates_to_product_reference": "Red Hat Migration Toolkit 1.8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25639",
"cwe": {
"id": "CWE-1287",
"name": "Improper Validation of Specified Type of Input"
},
"discovery_date": "2026-02-09T21:00:49.280114+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2438237"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw has been discovered in the Axios npm package. the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64"
],
"known_not_affected": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-25639"
},
{
"category": "external",
"summary": "RHBZ#2438237",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438237"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-25639",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25639"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-25639",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25639"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57",
"url": "https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/releases/tag/v1.13.5",
"url": "https://github.com/axios/axios/releases/tag/v1.13.5"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433",
"url": "https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433"
}
],
"release_date": "2026-02-09T20:11:22.374000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T09:42:41+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25041"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig"
},
{
"cve": "CVE-2026-40175",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-04-10T20:02:10.296601+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2457432"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability, known as Prototype Pollution, can be exploited through a specific \"Gadget\" attack chain. This allows an attacker to escalate a Prototype Pollution vulnerability in a third-party dependency, potentially leading to remote code execution or a full cloud compromise, such as bypassing AWS IMDSv2.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Remote Code Execution via Prototype Pollution escalation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Axios library, a promise-based HTTP client, is susceptible to an Important prototype pollution vulnerability. This flaw, when combined with specific \"Gadget\" attack chains in third-party dependencies, can lead to remote code execution or full cloud compromise, including bypassing AWS IMDSv2.\n \nWith pollution check patch available in Axios gives an advantage, it remains vulnerable due to HTTP Header Sanitation and Server-Side Request Forgery threat.\n\nRed Hat products that incorporate the vulnerable Axios library are affected.\n\nThe openshift4/ose-monitoring-plugin-rhel9 container image is not vulnerable to this flaw. The affected component is used as a build-time dependency but it\u0027s not shipped in the final product, meaning the flaw is not present thus cannot be exploited in the container deployments.\n\nRegarding openshift4/ose-console for Product stream 4.12 and 4.13, the vulnerable component is present (indirect dependency), but the vulnerability is not exploitable in our case due to the browser runtime, where the required Node.js-specific attack vectors are not available. With this, the impact becomes low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64"
],
"known_not_affected": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-40175"
},
{
"category": "external",
"summary": "RHBZ#2457432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457432"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-40175",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40175"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1",
"url": "https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/pull/10660",
"url": "https://github.com/axios/axios/pull/10660"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/releases/tag/v1.15.0",
"url": "https://github.com/axios/axios/releases/tag/v1.15.0"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx",
"url": "https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx"
}
],
"release_date": "2026-04-10T19:23:52.285000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T09:42:41+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25041"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Remote Code Execution via Prototype Pollution escalation"
},
{
"cve": "CVE-2026-42033",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-04-24T18:01:20.937507+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461607"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, an HTTP client library. This vulnerability allows an attacker to exploit a prototype pollution issue if another part of the application has already polluted the Object.prototype. By doing so, the attacker can intercept and modify JSON responses or take control of the HTTP communication. This could lead to unauthorized access to sensitive information like user credentials and request details.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: HTTP Transport Hijacking via Prototype Pollution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64"
],
"known_not_affected": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42033"
},
{
"category": "external",
"summary": "RHBZ#2461607",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461607"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42033",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42033"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42033",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42033"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf",
"url": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf"
}
],
"release_date": "2026-04-24T17:36:44.132000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T09:42:41+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25041"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: HTTP Transport Hijacking via Prototype Pollution"
},
{
"cve": "CVE-2026-42035",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-04-24T18:01:17.109481+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461606"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application\u0027s core object definitions are manipulated, causing Axios to misinterpret data and include attacker-controlled headers in network communications. This could lead to unauthorized actions or data manipulation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Arbitrary HTTP header injection via prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64"
],
"known_not_affected": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42035"
},
{
"category": "external",
"summary": "RHBZ#2461606",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461606"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42035",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42035"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42035",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42035"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9",
"url": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9"
}
],
"release_date": "2026-04-24T17:38:07.752000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T09:42:41+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25041"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "axios: Axios: Arbitrary HTTP header injection via prototype pollution"
},
{
"cve": "CVE-2026-42039",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-04-24T19:01:44.887156+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461630"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client for browsers and Node.js. This vulnerability occurs because the `toFormData` function recursively processes nested objects without a depth limit. A remote attacker can exploit this by sending deeply nested request data, which causes the Node.js process to crash due to a RangeError, leading to a potential Denial of Service (DoS) if the process crashes.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64"
],
"known_not_affected": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42039"
},
{
"category": "external",
"summary": "RHBZ#2461630",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461630"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42039",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42039"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42039",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42039"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9",
"url": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9"
}
],
"release_date": "2026-04-24T18:01:30.775000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T09:42:41+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25041"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data"
},
{
"cve": "CVE-2026-42041",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-04-24T19:01:41.034289+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461629"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability, a Prototype Pollution \"Gadget\" attack, allows an attacker to manipulate the `Object.prototype.validateStatus` property. By polluting this property, all HTTP error responses (such as 401, 403, or 500) are silently treated as successful responses. This can lead to a complete bypass of application-level authentication and error handling, potentially granting unauthorized access.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64"
],
"known_not_affected": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42041"
},
{
"category": "external",
"summary": "RHBZ#2461629",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461629"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42041",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42041"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42041",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42041"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63",
"url": "https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63"
}
],
"release_date": "2026-04-24T17:55:30.036000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T09:42:41+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25041"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling"
},
{
"cve": "CVE-2026-42043",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2026-04-24T19:01:22.552379+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461626"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. An attacker who can control the destination address of an Axios request can exploit this vulnerability. By using specific internal network addresses (within the 127.0.0.0/8 range, excluding 127.0.0.1), the attacker can completely bypass the NO_PROXY protection, potentially leading to unauthorized access or information disclosure within the network. This issue is an incomplete fix for a previous vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: NO_PROXY bypass via crafted URL",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64"
],
"known_not_affected": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42043"
},
{
"category": "external",
"summary": "RHBZ#2461626",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461626"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42043",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42043"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42043",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42043"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7",
"url": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7"
}
],
"release_date": "2026-04-24T17:54:42.668000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T09:42:41+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25041"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: NO_PROXY bypass via crafted URL"
},
{
"cve": "CVE-2026-42044",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-04-24T19:01:13.418725+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461624"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a widely used HTTP client. This vulnerability, known as a Prototype Pollution \"Gadget\" attack, allows a remote attacker to subtly alter JSON API responses. By manipulating a specific function, an attacker can selectively modify data within these responses. This could lead to significant security breaches, including unauthorized privilege escalation, fraudulent balance manipulation, or bypassing critical authorization checks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64"
],
"known_not_affected": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42044"
},
{
"category": "external",
"summary": "RHBZ#2461624",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461624"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42044",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42044"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23",
"url": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23"
}
],
"release_date": "2026-04-24T17:49:49.517000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T09:42:41+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25041"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-controller-rhel8@sha256:0cba0be1e3a9b2372a3ac886ef4eab4df26477dfbc6c05cfb1a777cffc140cae_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8@sha256:3627ad1ad96e923f1df9351be45f577c3626337a7ddb655dfca7b37f072ce9cf_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8@sha256:6ad18683cca4a6f3d79b01ef2cf77d14d5759513de664c885d0b0ecf806a127d_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8@sha256:10353c1f0701f08fedb59a293cf9ac047142012f8970e45d43a235df086394d8_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8@sha256:939aea38e821fdc02d57e36a6b29e8bee99cfce482cc4203a8f4c3b64229b123_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-operator-bundle@sha256:d464ca3699dbfe6a89d96bccc0816b531ec84d61bdf44ca99a29e562787f9889_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-registry-rhel8@sha256:937e190c974b9af97313524516e02f04adef637df5de3e3a2ff502e5e135c3e1_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rhel8-operator@sha256:2c4a1b84c4a428102ed984cd565e3a2c3919cef093c7bab1f7ec0e2b4a3d8155_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:adabb068c94f2fcefe7d8924563a5a5d0fd32217bad330416d755de507c69334_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-ui-rhel8@sha256:dd0b544f95487c18174c922d7b0d979a457e84479bf93549bd152d2477f124bb_amd64",
"Red Hat Migration Toolkit 1.8:registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:d7da58f4a2ec52d420426957cdf640d589016db80ca8769fbfedadf17c735361_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…