Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Network-reachable HTTP listener, no auth or interaction; integrity-only impact via spoofed identity headers, no confidentiality or availability effect.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
6DescriptionNVD
A flaw was found in the OpenShift Router. When a Route has insecureEdgeTerminationPolicy set to Allow, the HTTP frontend does not remove X-SSL-Client-* headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted X-SSL-Client-* headers. As a result, backends relying on these headers for mutual TLS (Transport Layer Security) authentication can be bypassed, enabling the attacker to impersonate client certificate identities.
AnalysisAI
Authentication bypass in Red Hat OpenShift Container Platform 4 Router allows remote unauthenticated attackers to impersonate TLS client certificate identities by injecting X-SSL-Client-* headers over plain HTTP. The flaw affects Routes configured with insecureEdgeTerminationPolicy set to Allow, where the HTTP frontend fails to strip these trusted headers from inbound requests. No public exploit identified at time of analysis, EPSS is very low (0.03%), and CISA SSVC marks exploitation status as none with total technical impact.
Technical ContextAI
The OpenShift Router is the HAProxy-based ingress component that terminates TLS and forwards traffic to backend pods in OpenShift Container Platform 4. When a Route uses edge TLS termination with insecureEdgeTerminationPolicy=Allow, the router accepts plain HTTP on the same Route and is expected to sanitize identity-bearing headers like X-SSL-Client-Cert, X-SSL-Client-DN, and X-SSL-Client-Verify before proxying upstream. The CWE-287 (Improper Authentication) root cause is missing header sanitization on the HTTP listener: backends that consume these headers as proof of mTLS authentication will trust attacker-supplied values. Affected CPE strings point exclusively to red_hat:red_hat_openshift_container_platform_4, and the issue is tracked in Red Hat Bugzilla 2483181 with errata RHSA-2026:27044 and RHSA-2026:27063.
RemediationAI
Patch available per vendor advisory - apply the OpenShift updates published in RHSA-2026:27044 and RHSA-2026:27063 (linked from https://access.redhat.com/security/cve/CVE-2026-46579) for your specific OCP 4 minor stream, since exact patched router versions are not enumerated in the provided data. As a compensating control until patching, change any Route using spec.tls.insecureEdgeTerminationPolicy=Allow to either Redirect (forces HTTPS, transparent for most clients) or None/disable (rejects HTTP, may break clients that intentionally hit port 80); both close the bypass but the Redirect option preserves availability for HTTP clients. Where the Allow policy must remain, add an HAProxy or upstream filter that explicitly strips X-SSL-Client-Cert, X-SSL-Client-DN, X-SSL-Client-Verify, and related headers on the HTTP listener, and audit backend applications to require certificate re-validation or to consume mTLS identity only from headers that the router has been verified to set itself, accepting the operational cost of additional config drift.
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
Privilege escalation in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform allows a com
HAProxy configuration injection in Red Hat OpenShift Container Platform 4 allows a low-privileged tenant with permission
Credential theft in Red Hat OpenShift Container Platform's Windows Machine Config Operator (WMCO) allows adjacent-networ
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces
Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memor
Here is the multi-source synthesis as a single JSON object: ```json { "product_name": "GnuTLS", "summary": "Certifi
Privilege escalation to root and Kerberos-based authentication bypass in SSSD's Active Directory GPO provider affects Re
Local privilege escalation in the cifs-utils cifs.upcall helper allows low-privileged Linux users to gain root by abusin
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33274
GHSA-ccmj-8c3p-4qwj