Skip to main content

OpenShift WMCO CVE-2026-54099

| EUVDEUVD-2026-38233 HIGH
Improper Privilege Management (CWE-269)
2026-06-22 redhat GHSA-x82v-328r-gf3h
8.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Attacker needs local access to a compromised Windows node with WICD credentials (AV:L, PR:L); auto-approver flaw reliably yields cluster-admin, causing scope change and full CIA impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 22, 2026 - 14:03 vuln.today
CVE Published
Jun 22, 2026 - 12:46 cve.org
HIGH 8.8

DescriptionCVE.org

A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. The WICD CSR auto-approver validates that a Certificate Signing Request contains the organization system:wicd-nodes but does not reject additional organization values such as system:masters. A compromised Windows worker node that holds WICD credentials can submit a CSR that is auto-approved and signed by the cluster, yielding a client certificate that grants cluster-administrator privileges and enabling full cluster takeover.

AnalysisAI

Privilege escalation in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform allows a compromised Windows worker node holding WICD credentials to obtain a cluster-administrator client certificate. The WICD CSR auto-approver checks for the system:wicd-nodes organization but fails to reject additional organization values such as system:masters, enabling full cluster takeover. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Compromise Windows worker node
Delivery
Steal WICD client credentials
Exploit
Craft CSR with system:wicd-nodes and system:masters
Install
Submit CSR to cluster API
C2
Auto-approver signs malicious certificate
Execute
Authenticate as cluster-admin
Impact
Take over OpenShift control plane

Vulnerability AssessmentAI

Exploitation Requires prior compromise of a Windows worker node managed by WMCO in an OpenShift 4 cluster, and possession of valid WICD credentials on that node sufficient to submit a CSR. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS:3.1 vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H scores 8.8 and reflects the realistic attack model: an attacker must already control a Windows worker node (PR:L, AV:L) holding WICD credentials, but successful exploitation produces a scope change (S:C) into the control plane with full confidentiality, integrity, and availability impact - i.e., cluster takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker compromises a Windows worker node (for example via a vulnerable workload or stolen node credentials) and reads the WICD client credentials from the node. Using those credentials, they craft a CSR whose subject includes both O=system:wicd-nodes (to satisfy the auto-approver) and O=system:masters, submit it, and the cluster signs it; the returned certificate authenticates the attacker as a cluster-admin, enabling secret exfiltration, workload tampering, and full control-plane takeover.
Remediation Patch availability per vendor advisory - apply the Red Hat-supplied WMCO update for your OpenShift 4 channel as described at https://access.redhat.com/security/cve/CVE-2026-54099 once the fixed WMCO version is published, and track https://bugzilla.redhat.com/show_bug.cgi?id=2487950 for version specifics. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all OpenShift clusters running WMCO and determine deployed version; immediately rotate all WICD credentials and audit credential distribution; restrict network access to Windows worker nodes. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-1784 HIGH
8.8 Jun 02

HAProxy configuration injection in Red Hat OpenShift Container Platform 4 allows a low-privileged tenant with permission

CVE-2026-54100 HIGH
8.3 Jun 22

Credential theft in Red Hat OpenShift Container Platform's Windows Machine Config Operator (WMCO) allows adjacent-networ

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

CVE-2026-35091 HIGH
8.2 Apr 01

Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memor

CVE-2026-42013 HIGH
8.2 May 26

Here is the multi-source synthesis as a single JSON object: ```json { "product_name": "GnuTLS", "summary": "Certifi

CVE-2026-14476 HIGH
8.0 Jul 07

Privilege escalation to root and Kerberos-based authentication bypass in SSSD's Active Directory GPO provider affects Re

CVE-2026-12505 HIGH
7.8 Jun 18

Local privilege escalation in the cifs-utils cifs.upcall helper allows low-privileged Linux users to gain root by abusin

CVE-2026-48864 HIGH
7.8 May 26

Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a malic

Vendor StatusVendor

Share

CVE-2026-54099 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy