Skip to main content

Cluster Logging Operator CVE-2026-10609

| EUVDEUVD-2026-38448 MEDIUM
Missing Authorization (CWE-862)
2026-06-23 redhat GHSA-9xm2-gw56-wj7m
6.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
6.8 MEDIUM

PR:H reflects mandatory editor-level RBAC access; S:C and C:H capture cross-namespace SA token exfiltration enabling privilege escalation.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Red Hat
6.8 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 23, 2026 - 14:16 vuln.today

DescriptionCVE.org

A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials, allowing a delegated editor to exfiltrate SA tokens and escalate privileges.

AnalysisAI

Privilege escalation via ServiceAccount token exfiltration affects the OpenShift Cluster Logging Operator, allowing a user with delegated editor-level access to the ClusterLogForwarder resource to harvest SA tokens they were never authorized to use. The operator creates ServiceAccount tokens and forwards them to configured log output destinations without verifying whether the ClusterLogForwarder creator holds permission to consume those credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain delegated editor role in logging namespace
Delivery
Craft ClusterLogForwarder pointing to attacker endpoint
Exploit
Operator generates SA token without authorization check
Install
SA token forwarded to attacker-controlled destination
C2
Exfiltrate SA token from log output
Execute
Authenticate to OpenShift API as privileged ServiceAccount
Impact
Escalate privileges cluster-wide

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker hold a Kubernetes RBAC role granting create or update permissions on ClusterLogForwarder custom resources within the OpenShift cluster - this corresponds to a 'delegated editor' role as described in the CVE. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.8 reflects a notable but constrained risk profile: PR:H indicates the attacker must already hold high privileges (delegated editor access to create ClusterLogForwarder resources), which meaningfully limits the attack surface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised or legitimately holds a delegated editor account within an OpenShift cluster creates a ClusterLogForwarder resource specifying an attacker-controlled HTTPS endpoint as the log output destination. The Cluster Logging Operator, without checking the creator's authorization, generates a ServiceAccount token scoped to a privileged SA and forwards it to the attacker's endpoint embedded in the request. …
Remediation The primary remediation is to apply the patch released by Red Hat via the official advisory at https://access.redhat.com/security/cve/CVE-2026-10609; however, no specific fixed version number is confirmed in the available data - verify the exact patched release from the advisory before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-10609 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy