Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Remote unauthenticated XSD input (AV:N/AC:L/PR:N/UI:N); SSRF crosses trust boundary (S:C) reading credentials/files (C:H), minor internal state change (I:L), no availability impact.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in the file_type content detector of guardrails-detectors. This vulnerability allows a remote attacker to supply an arbitrary XML Schema Definition (XSD) string, which is processed without proper restrictions. This can lead to server-side requests to arbitrary URLs or local file reads, potentially resulting in sensitive information disclosure, such as cloud provider credentials or access to internal network services.
AnalysisAI
Server-side request forgery in the file_type content detector of guardrails-detectors (a component shipped with Red Hat OpenShift AI/RHOAI) allows a remote attacker to submit an arbitrary XML Schema Definition (XSD) that the parser resolves without restriction, coercing the server into fetching attacker-chosen URLs or reading local files. Because the CVSS vector is AV:N/PR:N/UI:N with a changed scope and high confidentiality impact (base score 9.3), an unauthenticated attacker can pivot into internal networks and harvest secrets such as cloud provider credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The concrete prerequisite is that the attacker can reach the guardrails-detectors service and submit input to the file_type content detector that accepts an arbitrary XSD/XML Schema string, which the detector then parses and resolves without disabling external references. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are largely aligned toward high priority but incomplete. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to a guardrails-detectors endpoint submits content to the file_type detector containing a crafted XSD whose schema reference points at the cloud instance-metadata service or an internal-only URL. The server resolves the reference and returns or leaks the response, letting the attacker read cloud credentials or reach services that are not exposed externally; a second variant uses a file:// reference to read local files. … |
| Remediation | No vendor-released patch version is identified at time of analysis - the provided references point to the Red Hat CVE page (https://access.redhat.com/security/cve/CVE-2026-15143) and Bugzilla 2498165, not to a tagged fixed release - so monitor those advisories and apply the RHOAI errata/updated guardrails-detectors image as soon as Red Hat publishes it. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all Red Hat OpenShift AI deployments to identify guardrails-detectors versions and document network exposure; confirm component functionality requirements. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Openshift Ai Rhoai
View allKubernetes Service Account token disclosure in the odh-dashboard component of Red Hat OpenShift AI (RHOAI) lets an authe
Arbitrary file write in the Feast Feature Server's `/save-document` endpoint lets an unauthenticated remote attacker wri
The Feast Feature Server contains a path traversal vulnerability in its `/read-document` endpoint that allows unauthenti
Denial of service in the Feast Feature Server (the Python feature-store serving component, also shipped within Red Hat O
Sensitive information disclosure in Red Hat OpenShift AI's vllm-orchestrator-gateway component exposes bearer tokens and
Use-after-free in FFmpeg's RASC video decoder exposes Red Hat Enterprise Linux AI 3 and Red Hat OpenShift AI deployments
Unproxied metrics port exposure in the gorch service template of trustyai-service-operator (part of Red Hat OpenShift AI
Image input manipulation in vLLM's multimodal preprocessing pipeline allows remote, unauthenticated network attackers to
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42927
GHSA-34cr-c6hf-4xgc