How to fix CVE-2025-12805?

Within 24 hours: Identify all OpenShift clusters running llama-stack-operator and document affected namespaces; audit RBAC logs for cross-namespace service access patterns. Within 7 days: Implement mandatory NetworkPolicy resources to deny inter-namespace traffic to Llama Stack service endpoints; restrict llama-stack-operator RBAC permissions to single-namespace scope where operationally feasible. Within 30 days: Monitor Red Hat security advisories for patched llama-stack-operator versions; establish a change control process to deploy the patch immediately upon release; conduct access audit to identify unauthorized cross-namespace data exposure.

Is Redhat affected by CVE-2025-12805?

Red Hat OpenShift AI deployments using llama-stack-operator are vulnerable to cross-namespace data access by authenticated cluster users, creating a multi-tenancy isolation failure that exposes sensitive AI model data and configurations across organizational boundaries.

CVE-2025-12805

EUVD-2025-209086 HIGH

2026-03-26 redhat

GHSA-cq3g-qvxc-ghr5

8.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 26, 2026 - 22:01 vuln.today

EUVD ID Assigned

Mar 26, 2026 - 22:01 euvd

EUVD-2025-209086

CVE Published

Mar 26, 2026 - 21:48 nvd

HIGH 8.1

Description

A flaw was found in Red Hat OpenShift AI (RHOAI) llama-stack-operator. This vulnerability allows unauthorized access to Llama Stack services deployed in other namespaces via direct network requests, because no NetworkPolicy restricts access to the llama-stack service endpoint. As a result, a user in one namespace can access another user’s Llama Stack instance and potentially view or manipulate sensitive data.

Analysis

Red Hat OpenShift AI llama-stack-operator permits unauthorized cross-namespace access to Llama Stack service endpoints due to missing NetworkPolicy enforcement, enabling authenticated users in one namespace to view or modify sensitive data in another user's Llama Stack instances. CVSS 8.1 (High) reflects high confidentiality and integrity impact with low-privilege authenticated network access. No public exploit identified at time of analysis, though the authentication bypass weakness (CWE-653) is architecturally straightforward to leverage once cluster access is obtained.

Technical Context

The vulnerability resides in Red Hat OpenShift AI llama-stack-operator, which orchestrates Llama Stack inference services across Kubernetes namespaces. Affected products include Red Hat OpenShift AI 2.25 and RHOAI (cpe:2.3:a:red_hat:red_hat_openshift_ai_2.25 and cpe:2.3:a:red_hat:red_hat_openshift_ai_(rhoai)). The root cause is CWE-653 (Insufficient Compartmentalization), where the operator deploys llama-stack service endpoints without implementing Kubernetes NetworkPolicy resources to enforce namespace isolation. In multi-tenant Kubernetes environments, network traffic is unrestricted by default between pods across namespaces unless explicitly denied via NetworkPolicy. This architectural gap allows direct TCP/HTTP requests from pods in one namespace to service endpoints in another, bypassing logical tenant boundaries that users expect OpenShift's namespace model to provide.

Affected Products

Red Hat OpenShift AI version 2.25 is confirmed affected, as well as broader Red Hat OpenShift AI (RHOAI) deployments utilizing the llama-stack-operator component. CPE identifiers cpe:2.3:a:red_hat:red_hat_openshift_ai_2.25:*:*:*:*:*:*:*:* and cpe:2.3:a:red_hat:red_hat_openshift_ai_(rhoai):*:*:*:*:*:*:*:* encompass the vulnerable product range. Vendor security advisories are available at https://access.redhat.com/errata/RHSA-2026:2106 and https://access.redhat.com/errata/RHSA-2026:2695, with additional technical details at https://access.redhat.com/security/cve/CVE-2025-12805 and Red Hat Bugzilla entry 2413101.

Remediation

Apply security updates referenced in Red Hat Security Advisories RHSA-2026:2106 (https://access.redhat.com/errata/RHSA-2026:2106) and RHSA-2026:2695 (https://access.redhat.com/errata/RHSA-2026:2695) to deploy patched versions of the llama-stack-operator that implement proper NetworkPolicy configurations. Consult the vendor advisories for specific package versions and installation procedures. As an interim mitigation until patching is completed, manually define and apply Kubernetes NetworkPolicy resources to restrict ingress traffic to llama-stack service endpoints, permitting connections only from pods within the same namespace and explicitly denying cross-namespace access. Review namespace RBAC policies to limit pod creation privileges to trusted users only, reducing the attacker surface for exploiting this isolation failure.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +40

POC: 0

Vendor Status

CVE-2025-12805 vulnerability details – vuln.today

Back

CVE-2025-12805

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-12805

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code