Runtimes Inventory Operator CVE-2025-11393
HIGHSeverity by source
AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attacker must be an authenticated standard cluster user (PR:L) with intra-cluster adjacency (AV:A); the confused-deputy proxy crosses authority to the platform (S:C) with high confidentiality/integrity but no availability impact.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster's main administrative credentials to any command it receives, instead of only the specific reports it is supposed to handle.
This allows a standard user within the cluster to send unauthorized commands to the management platform, effectively acting with the full permissions of the cluster administrator. This could lead to unauthorized changes to the cluster's configuration or status on the Red Hat platform.
AnalysisAI
Privilege escalation in Red Hat's runtimes-inventory-rhel8-operator lets a standard cluster user act with full cluster-administrator authority on the Red Hat management platform. A misconfigured internal proxy attaches the cluster's main administrative credentials to every command it relays - not just the report traffic it should handle - so any authenticated user can issue admin-level instructions and alter cluster configuration or status. There is no public exploit identified at time of analysis, EPSS is low (0.21%, 12th percentile), and the issue is not in CISA KEV, but the impact is a classic confused-deputy authentication bypass and Red Hat has shipped a fix.
Technical ContextAI
The affected component is the runtimes-inventory operator packaged for RHEL 8 (OpenShift/Red Hat platform tooling that collects and reports application runtime inventory data). The root cause is CWE-441 (Unintended Proxy or Intermediary, the 'Confused Deputy' pattern): an internal proxy is intended to forward only specific inventory reports to the management platform, but it is configured to indiscriminately bind the cluster's privileged administrative credentials to whatever request it receives. Because the proxy is the security decision-maker that holds the powerful credential and fails to constrain which requests may use it, a lower-privileged caller inherits the proxy's authority. No CPE strings were provided in the source data; the affected package is identified by its name (runtimes-inventory-rhel8-operator) rather than enumerated CPEs.
Affected ProductsAI
The affected product is the Red Hat runtimes-inventory-rhel8-operator (Runtimes Inventory Operator for RHEL 8), as deployed against the Red Hat management platform/OpenShift. Exact fixed and affected version strings were not included in the provided data and no CPE list was supplied; the authoritative version boundaries should be read from Red Hat's advisory. Relevant vendor references are the errata RHSA-2025:23236 (https://access.redhat.com/errata/RHSA-2025:23236), the Red Hat CVE page (https://access.redhat.com/security/cve/CVE-2025-11393), and the tracking bug Bugzilla 2402032 (https://bugzilla.redhat.com/show_bug.cgi?id=2402032).
RemediationAI
Patch available per vendor advisory: apply the update shipped in Red Hat errata RHSA-2025:23236 (https://access.redhat.com/errata/RHSA-2025:23236) to the runtimes-inventory-rhel8-operator; the exact fixed version is not stated in the provided data and should be confirmed from that errata before deployment. Until the operator is updated, reduce exposure by limiting who can reach the operator and its internal proxy: restrict the operator namespace and its service/endpoints to trusted administrators using RBAC and NetworkPolicies so standard users cannot send commands through the proxy (trade-off: may interrupt legitimate inventory reporting for restricted users), and consider temporarily disabling or scaling down the inventory operator if the reporting feature is non-essential (trade-off: loss of runtime inventory collection). Consult the Red Hat CVE page (https://access.redhat.com/security/cve/CVE-2025-11393) and Bugzilla 2402032 (https://bugzilla.redhat.com/show_bug.cgi?id=2402032) for definitive guidance and version numbers.
Same technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: ImportantShare
External POC / Exploit Code
Leaving vuln.today