Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attacker needs local access to a compromised Windows node with WICD credentials (AV:L, PR:L); auto-approver flaw reliably yields cluster-admin, causing scope change and full CIA impact.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. The WICD CSR auto-approver validates that a Certificate Signing Request contains the organization system:wicd-nodes but does not reject additional organization values such as system:masters. A compromised Windows worker node that holds WICD credentials can submit a CSR that is auto-approved and signed by the cluster, yielding a client certificate that grants cluster-administrator privileges and enabling full cluster takeover.
AnalysisAI
Privilege escalation in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform allows a compromised Windows worker node holding WICD credentials to obtain a cluster-administrator client certificate. The WICD CSR auto-approver checks for the system:wicd-nodes organization but fails to reject additional organization values such as system:masters, enabling full cluster takeover. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires prior compromise of a Windows worker node managed by WMCO in an OpenShift 4 cluster, and possession of valid WICD credentials on that node sufficient to submit a CSR. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS:3.1 vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H scores 8.8 and reflects the realistic attack model: an attacker must already control a Windows worker node (PR:L, AV:L) holding WICD credentials, but successful exploitation produces a scope change (S:C) into the control plane with full confidentiality, integrity, and availability impact - i.e., cluster takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker compromises a Windows worker node (for example via a vulnerable workload or stolen node credentials) and reads the WICD client credentials from the node. Using those credentials, they craft a CSR whose subject includes both O=system:wicd-nodes (to satisfy the auto-approver) and O=system:masters, submit it, and the cluster signs it; the returned certificate authenticates the attacker as a cluster-admin, enabling secret exfiltration, workload tampering, and full control-plane takeover. |
| Remediation | Patch availability per vendor advisory - apply the Red Hat-supplied WMCO update for your OpenShift 4 channel as described at https://access.redhat.com/security/cve/CVE-2026-54099 once the fixed WMCO version is published, and track https://bugzilla.redhat.com/show_bug.cgi?id=2487950 for version specifics. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all OpenShift clusters running WMCO and determine deployed version; immediately rotate all WICD credentials and audit credential distribution; restrict network access to Windows worker nodes. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
HAProxy configuration injection in Red Hat OpenShift Container Platform 4 allows a low-privileged tenant with permission
Credential theft in Red Hat OpenShift Container Platform's Windows Machine Config Operator (WMCO) allows adjacent-networ
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces
Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memor
Here is the multi-source synthesis as a single JSON object: ```json { "product_name": "GnuTLS", "summary": "Certifi
Privilege escalation to root and Kerberos-based authentication bypass in SSSD's Active Directory GPO provider affects Re
Local privilege escalation in the cifs-utils cifs.upcall helper allows low-privileged Linux users to gain root by abusin
Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a malic
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38233
GHSA-x82v-328r-gf3h