Skip to main content

Kubernetes CVE-2026-4740

| EUVDEUVD-2026-19690 HIGH
Improper Certificate Validation (CWE-295)
2026-04-07 redhat GHSA-q4gv-pjmh-c735
8.2
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.2 HIGH
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Red Hat
8.2 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 28, 2026 - 20:53 vuln.today
cvss_changed
Patch released
Apr 09, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 07, 2026 - 15:00 euvd
EUVD-2026-19690
Analysis Generated
Apr 07, 2026 - 15:00 vuln.today
CVE Published
Apr 07, 2026 - 14:30 nvd
HIGH 8.2

DescriptionCVE.org

A flaw was found in Open Cluster Management (OCM), the technology underlying Red Hat Advanced Cluster Management (ACM). Improper validation of Kubernetes client certificate renewal allows a managed cluster administrator to forge a client certificate that can be approved by the OCM controller. This enables cross-cluster privilege escalation and may allow an attacker to gain control over other managed clusters, including the hub cluster.

AnalysisAI

Improper certificate validation in Red Hat's Open Cluster Management (OCM) and Multicluster Engine for Kubernetes allows managed cluster administrators with high-level local access to forge client certificates, achieving cross-cluster privilege escalation to other managed clusters including the hub cluster. The CVSS 8.2 rating reflects high impact across confidentiality, integrity, and availability with scope change, though exploitation requires existing high-privilege local access (PR:H) and local attack vector (AV:L). No public exploit code or CISA KEV listing identified at time of analysis, though technical details are publicly documented in researcher blog post.

Technical ContextAI

Open Cluster Management (OCM) is the upstream technology powering Red Hat Advanced Cluster Management, providing multi-cluster orchestration for Kubernetes environments. The vulnerability stems from CWE-295 (Improper Certificate Validation) in the OCM controller's handling of Kubernetes client certificate renewal requests. In a hub-and-spoke architecture, managed clusters authenticate to the hub using client certificates. The flaw allows a compromised managed cluster administrator to craft malicious certificate signing requests that bypass validation controls during the renewal process. Once the forged certificate is approved by the automated OCM controller, the attacker gains authenticated access as a trusted cluster identity, breaking the isolation boundary between managed clusters. This affects Red Hat Multicluster Engine for Kubernetes deployments where the hub cluster manages multiple spoke clusters through certificate-based mutual TLS authentication.

RemediationAI

Organizations should immediately apply vendor-released patches for Red Hat Multicluster Engine for Kubernetes and Advanced Cluster Management as documented in the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-4740. Consult the Bugzilla tracking issue at https://bugzilla.redhat.com/show_bug.cgi?id=2450590 for specific fixed versions and update instructions. Until patching is complete, implement defense-in-depth controls including enhanced monitoring of certificate signing requests from managed clusters, audit logging of cross-cluster authentication attempts, and network segmentation to limit lateral movement between managed clusters. Review and restrict administrative access to managed clusters, treating any cluster administrator as a potential pivot point to the hub. Consider temporarily isolating high-risk or less-trusted managed clusters from the hub environment if immediate patching is not feasible. Post-remediation, rotate all cluster client certificates and review audit logs for suspicious certificate approval activity dating back to when vulnerable versions were deployed.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Vendor StatusVendor

Share

CVE-2026-4740 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy