Skip to main content

Red Hat OpenShift CVE-2026-15584

HIGH
Execution with Unnecessary Privileges (CWE-250)
2026-07-13 redhat
7.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.5 HIGH

Authenticated edit-role tenant (PR:L) execs over the API (AV:N) into pods that must already exist (AC:H); pod-to-node host root crosses the isolation boundary (S:C) with full C/I/A impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 13:16 vuln.today
CVE Published
Jul 13, 2026 - 12:01 cve.org
HIGH 7.5

DescriptionCVE.org

A privilege escalation vulnerability was found in the incluster-checks tool for OpenShift. The tool creates privileged debug pods with host filesystem access in the shared default namespace, where any user with the standard edit role can exec into them and obtain root access on cluster nodes.

AnalysisAI

Privilege escalation in Red Hat OpenShift's incluster-checks diagnostic tool lets any authenticated user holding the standard 'edit' RBAC role escalate to root on the underlying cluster nodes. The tool provisions privileged debug pods with host-filesystem access inside the shared default namespace, so a low-privileged tenant can simply exec into an existing pod and break out to the host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to cluster with edit role
Delivery
Locate privileged debug pods in default namespace
Exploit
kubectl exec into privileged pod
Execution
Access mounted host filesystem
Impact
Obtain root on cluster node

Vulnerability AssessmentAI

Exploitation Exploitation requires that the incluster-checks tool has been run and has created privileged debug pods with host-filesystem mounts in the shared default namespace, and that those pods are still present/running. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, base 7.5) and the description are partially inconsistent and should be reconciled by defenders. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A developer with only the standard OpenShift 'edit' role in the default namespace notices privileged debug pods left behind by incluster-checks. They run kubectl exec into one of the pods, chroot into the mounted host filesystem, and plant credentials or a breakout payload to gain root on the worker node, pivoting to other tenants' workloads. …
Remediation No vendor-released patch version is identified in the available data - track the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-15584 and Bugzilla 2499647 (https://bugzilla.redhat.com/show_bug.cgi?id=2499647) for the fixed build and apply it once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all users and service accounts holding the 'edit' RBAC role in production OpenShift clusters and revoke edit permissions from non-administrative users immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15584 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy