Red Hat OpenShift CVE-2026-15584
HIGHSeverity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Authenticated edit-role tenant (PR:L) execs over the API (AV:N) into pods that must already exist (AC:H); pod-to-node host root crosses the isolation boundary (S:C) with full C/I/A impact.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A privilege escalation vulnerability was found in the incluster-checks tool for OpenShift. The tool creates privileged debug pods with host filesystem access in the shared default namespace, where any user with the standard edit role can exec into them and obtain root access on cluster nodes.
AnalysisAI
Privilege escalation in Red Hat OpenShift's incluster-checks diagnostic tool lets any authenticated user holding the standard 'edit' RBAC role escalate to root on the underlying cluster nodes. The tool provisions privileged debug pods with host-filesystem access inside the shared default namespace, so a low-privileged tenant can simply exec into an existing pod and break out to the host. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the incluster-checks tool has been run and has created privileged debug pods with host-filesystem mounts in the shared default namespace, and that those pods are still present/running. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, base 7.5) and the description are partially inconsistent and should be reconciled by defenders. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A developer with only the standard OpenShift 'edit' role in the default namespace notices privileged debug pods left behind by incluster-checks. They run kubectl exec into one of the pods, chroot into the mounted host filesystem, and plant credentials or a breakout payload to gain root on the worker node, pivoting to other tenants' workloads. … |
| Remediation | No vendor-released patch version is identified in the available data - track the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-15584 and Bugzilla 2499647 (https://bugzilla.redhat.com/show_bug.cgi?id=2499647) for the fixed build and apply it once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit all users and service accounts holding the 'edit' RBAC role in production OpenShift clusters and revoke edit permissions from non-administrative users immediately. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-250 – Execution with Unnecessary Privileges
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today