What is the CVSS score of CVE-2026-42965?

CVE-2026-42965 has a CVSS 3.1 base score of 7.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of OpenShift Router are affected by CVE-2026-42965?

OpenShift 4 deployments face insider-accessible cloud credential exposure through a Router component vulnerability requiring immediate permission restrictions.

How to fix or mitigate CVE-2026-42965?

Within 24 hours: Audit all users and service accounts with EndpointSlice write permissions across OpenShift 4 clusters; document current access. Within 7 days: Revoke EndpointSlice write permissions to essential administrators only; deploy network policies blocking 169.254.169.254 access from router namespace; enable comprehensive audit logging for EndpointSlice modifications. Within 30 days: Monitor Red Hat security advisories for CVE-2026-42965 patch release; prepare upgrade plan to patched OpenShift 4.x version; test controls for effectiveness.

OpenShift Router CVE-2026-42965

EUVD-2026-33275 HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2026-05-29 redhat

GHSA-76ww-43j5-78x5

SSRF Red Hat Openshift Container Platform 4

7.7

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.7 HIGH

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Red Hat

7.7 HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

May 29, 2026 - 11:00 vuln.today

DescriptionCVE.org

A flaw was found in the OpenShift Router. A user with EndpointSlice write access can exploit this vulnerability by creating a Service backed by an FQDN (Fully Qualified Domain Name) EndpointSlice that resolves to a cloud metadata endpoint. This allows the router to proxy requests to the cloud metadata endpoint, leading to the disclosure of instance credentials and other sensitive metadata. This bypasses previous security measures for validating IP addresses.

AnalysisAI

Server-side request forgery in Red Hat OpenShift Container Platform 4's Router component allows authenticated users with EndpointSlice write permissions to coerce the router into proxying requests to cloud provider instance metadata endpoints (e.g., 169.254.169.254), exposing instance credentials and sensitive metadata. The flaw bypasses prior IP-address-based validation by abusing FQDN-backed EndpointSlices that resolve to metadata services. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain low-priv OpenShift account with EndpointSlice write

Delivery

Create Service and FQDN EndpointSlice pointing at metadata host

Exploit

Send HTTP request through Router to that Service

Execution

Router resolves FQDN and proxies to 169.254.169.254

Persist

Receive cloud instance IAM credentials in response

Impact

Pivot into cloud account using stolen credentials

Access

Obtain low-priv OpenShift account with EndpointSlice write

Delivery

Create Service and FQDN EndpointSlice pointing at metadata host

Exploit

Send HTTP request through Router to that Service

Execution

Router resolves FQDN and proxies to 169.254.169.254

Persist

Receive cloud instance IAM credentials in response

Impact

Pivot into cloud account using stolen credentials

Vulnerability AssessmentAI

Exploitation	Requires an authenticated OpenShift user (PR:L) with RBAC permission to create or update EndpointSlice (and typically Service/Route) objects in at least one namespace on a target OpenShift Container Platform 4 cluster; the cluster must be deployed on a cloud provider exposing an instance metadata service reachable from the router pods (e.g., AWS, Azure, GCP) - on-premise clusters without such an endpoint are not exploitable for credential disclosure. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) reflects a network-reachable, low-complexity attack requiring low privileges, with a scope change and high confidentiality impact - consistent with SSRF leaking cloud credentials across a trust boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with a low-privileged OpenShift account that holds EndpointSlice write permission in any namespace creates a Service plus an EndpointSlice whose addressType is FQDN and whose endpoint resolves (via attacker-controlled DNS or a public record) to 169.254.169.254. The attacker then sends an HTTP request through the cluster's exposed Router to a route mapped at that Service; the router proxies the request to the cloud metadata endpoint and returns IAM credentials for the underlying node, which the attacker uses to pivot into the cloud account.
Remediation	Patch available per vendor advisory: apply the OpenShift Container Platform 4 update referenced in https://access.redhat.com/security/cve/CVE-2026-42965 for your supported channel, and track the Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2483184 for the exact z-stream fix versions. … Detailed patch versions, workarounds, and compensating controls in full report.