Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
PR:H reflects mandatory editor-level RBAC access; S:C and C:H capture cross-namespace SA token exfiltration enabling privilege escalation.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials, allowing a delegated editor to exfiltrate SA tokens and escalate privileges.
AnalysisAI
Privilege escalation via ServiceAccount token exfiltration affects the OpenShift Cluster Logging Operator, allowing a user with delegated editor-level access to the ClusterLogForwarder resource to harvest SA tokens they were never authorized to use. The operator creates ServiceAccount tokens and forwards them to configured log output destinations without verifying whether the ClusterLogForwarder creator holds permission to consume those credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker hold a Kubernetes RBAC role granting create or update permissions on ClusterLogForwarder custom resources within the OpenShift cluster - this corresponds to a 'delegated editor' role as described in the CVE. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.8 reflects a notable but constrained risk profile: PR:H indicates the attacker must already hold high privileges (delegated editor access to create ClusterLogForwarder resources), which meaningfully limits the attack surface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has compromised or legitimately holds a delegated editor account within an OpenShift cluster creates a ClusterLogForwarder resource specifying an attacker-controlled HTTPS endpoint as the log output destination. The Cluster Logging Operator, without checking the creator's authorization, generates a ServiceAccount token scoped to a privileged SA and forwards it to the attacker's endpoint embedded in the request. … |
| Remediation | The primary remediation is to apply the patch released by Red Hat via the official advisory at https://access.redhat.com/security/cve/CVE-2026-10609; however, no specific fixed version number is confirmed in the available data - verify the exact patched release from the advisory before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38448
GHSA-9xm2-gw56-wj7m