Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions rather than being restricted to cluster-owned resources, enabling cross-scope impact after credential compromise.
AnalysisAI
Privilege escalation in Red Hat OpenShift's Cloud Credential Operator (CCO) Mint-mode on AWS allows an attacker who compromises operator credentials to perform destructive actions across the entire AWS account rather than only cluster-owned resources. The over-privileged IAM policies break least-privilege boundaries, turning a single cluster credential leak into an account-wide blast radius. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
The Cloud Credential Operator manages cloud provider credentials for OpenShift cluster components. In Mint-mode on AWS, CCO uses an admin-level credential to dynamically create scoped IAM users/policies for in-cluster operators (registry, ingress, machine-API, etc.). The root cause is CWE-250 (Execution with Unnecessary Privileges): the IAM policy templates grant destructive actions (e.g., delete/terminate verbs against EC2, IAM, S3, ELB) without resource-level ARN constraints or condition keys tying them to the cluster's tag/owner, so the resulting principals can act on any resource in the AWS account, not just those the cluster owns. Red Hat tracks the issue in Bugzilla 2484738 and via the access.redhat.com CVE page.
Affected ProductsAI
Red Hat OpenShift Container Platform deployments on AWS that configure the Cloud Credential Operator in Mint mode are affected; clusters using Passthrough or Manual (STS/AssumeRole) credential modes are not in the same exposure class. No specific CPE strings or exact OCP version ranges were included in the provided NVD data - refer to the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-10843 and bug https://bugzilla.redhat.com/show_bug.cgi?id=2484738 for the authoritative affected-version matrix.
RemediationAI
Patch status from input data: no vendor-released fixed version is enumerated in the provided references, so treat this as patch available per vendor advisory and consult https://access.redhat.com/security/cve/CVE-2026-10843 plus Bugzilla 2484738 for the exact errata and fixed CCO/OCP versions. As a primary mitigation, migrate the cluster from Mint mode to Manual mode with AWS STS (IRSA-style short-lived tokens), which removes the long-lived account-wide admin credential entirely; the trade-off is an installation/upgrade workflow change and requires pre-provisioning per-component IAM roles. As a compensating control while patching, tighten the CCO admin IAM policy and the minted component policies with resource-ARN constraints and condition keys scoped to the cluster's infrastructure tag (e.g., kubernetes.io/cluster/<infraID>=owned), rotate any potentially exposed credentials, and enable CloudTrail alerting on destructive IAM/EC2 actions performed by CCO-managed principals - these constrain blast radius but do not eliminate the underlying over-permissioning.
Same weakness CWE-250 – Execution with Unnecessary Privileges
View allSame technique Privilege Escalation
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34249
GHSA-6w74-qhw6-wmwc