Skip to main content

OpenShift Cloud Credential Operator CVE-2026-10843

| EUVDEUVD-2026-34249 HIGH
Execution with Unnecessary Privileges (CWE-250)
2026-06-04 secalert@redhat.com GHSA-6w74-qhw6-wmwc
7.2
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.2 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 12:32 vuln.today

DescriptionCVE.org

A flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions rather than being restricted to cluster-owned resources, enabling cross-scope impact after credential compromise.

AnalysisAI

Privilege escalation in Red Hat OpenShift's Cloud Credential Operator (CCO) Mint-mode on AWS allows an attacker who compromises operator credentials to perform destructive actions across the entire AWS account rather than only cluster-owned resources. The over-privileged IAM policies break least-privilege boundaries, turning a single cluster credential leak into an account-wide blast radius. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

The Cloud Credential Operator manages cloud provider credentials for OpenShift cluster components. In Mint-mode on AWS, CCO uses an admin-level credential to dynamically create scoped IAM users/policies for in-cluster operators (registry, ingress, machine-API, etc.). The root cause is CWE-250 (Execution with Unnecessary Privileges): the IAM policy templates grant destructive actions (e.g., delete/terminate verbs against EC2, IAM, S3, ELB) without resource-level ARN constraints or condition keys tying them to the cluster's tag/owner, so the resulting principals can act on any resource in the AWS account, not just those the cluster owns. Red Hat tracks the issue in Bugzilla 2484738 and via the access.redhat.com CVE page.

Affected ProductsAI

Red Hat OpenShift Container Platform deployments on AWS that configure the Cloud Credential Operator in Mint mode are affected; clusters using Passthrough or Manual (STS/AssumeRole) credential modes are not in the same exposure class. No specific CPE strings or exact OCP version ranges were included in the provided NVD data - refer to the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-10843 and bug https://bugzilla.redhat.com/show_bug.cgi?id=2484738 for the authoritative affected-version matrix.

RemediationAI

Patch status from input data: no vendor-released fixed version is enumerated in the provided references, so treat this as patch available per vendor advisory and consult https://access.redhat.com/security/cve/CVE-2026-10843 plus Bugzilla 2484738 for the exact errata and fixed CCO/OCP versions. As a primary mitigation, migrate the cluster from Mint mode to Manual mode with AWS STS (IRSA-style short-lived tokens), which removes the long-lived account-wide admin credential entirely; the trade-off is an installation/upgrade workflow change and requires pre-provisioning per-component IAM roles. As a compensating control while patching, tighten the CCO admin IAM policy and the minted component policies with resource-ARN constraints and condition keys scoped to the cluster's infrastructure tag (e.g., kubernetes.io/cluster/<infraID>=owned), rotate any potentially exposed credentials, and enable CloudTrail alerting on destructive IAM/EC2 actions performed by CCO-managed principals - these constrain blast radius but do not eliminate the underlying over-permissioning.

Vendor StatusVendor

Share

CVE-2026-10843 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy