Skip to main content

Red Hat OpenShift WMCO CVE-2026-54100

| EUVDEUVD-2026-38234 HIGH
Improper Certificate Validation (CWE-295)
2026-06-22 redhat GHSA-q3jf-4x8j-368q
8.3
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.3 HIGH
AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.3 HIGH

Adjacent-network MITM on SSH bootstrap (AV:A, AC:H), no auth needed (PR:N), no user interaction, and captured node credentials cross a trust boundary into the cluster (S:C) with full CIA impact on Windows workloads.

3.1 AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Red Hat
8.3 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 22, 2026 - 14:03 vuln.today
CVE Published
Jun 22, 2026 - 12:46 cve.org
HIGH 8.3

DescriptionCVE.org

A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. WMCO establishes SSH connections to Windows worker nodes without verifying the remote server host key. An adjacent-network attacker who can intercept or redirect WMCO's SSH session can capture WICD and kubelet bootstrap credentials transferred during node configuration, enabling compromise of Windows node identities in the cluster.

AnalysisAI

Credential theft in Red Hat OpenShift Container Platform's Windows Machine Config Operator (WMCO) allows adjacent-network attackers to intercept SSH sessions to Windows worker nodes and steal WICD and kubelet bootstrap credentials. WMCO fails to verify the remote SSH host key when configuring Windows nodes, enabling a man-in-the-middle attacker positioned on the cluster network to capture credentials sufficient to assume Windows node identities. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain foothold on machine network
Delivery
ARP/route spoof Windows node IP
Exploit
Intercept WMCO SSH bootstrap
Execution
Capture WICD and kubelet credentials
Persist
Impersonate Windows node identity
Impact
Pivot into Windows workloads

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to be on the same adjacent network segment as either the WMCO controller pod or the target Windows worker node and to perform an active MITM (ARP/NDP spoofing, rogue DHCP, or upstream router compromise) during the narrow window when WMCO initiates the SSH bootstrap to a new or reconfigured Windows node. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS:3.1 vector AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H yields 8.3 (High), driven largely by the scope change (S:C) - stealing bootstrap credentials lets the attacker pivot from a single node to cluster-level Windows workloads. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has gained a foothold on the OpenShift machine/management subnet (for example via a compromised infrastructure node or a misconfigured tenant workload sharing the VLAN) ARP-spoofs or BGP-hijacks the IP of a newly provisioned Windows node and answers WMCO's SSH connection with their own server. Because WMCO does not verify the host key, the handshake succeeds and WMCO transfers the WICD binary and kubelet bootstrap kubeconfig to the attacker, who then uses those credentials to register a rogue Windows node identity and read or tamper with Windows workloads in the cluster. …
Remediation Patch available per vendor advisory - upgrade WMCO to the fixed version published by Red Hat for your OpenShift 4.x stream as referenced in https://access.redhat.com/security/cve/CVE-2026-54100 (exact fix version not enumerated in the input data, so verify against the Red Hat errata before rollout). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all OpenShift clusters running WMCO with Windows nodes and restrict network access to credential exchange traffic during node configuration. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-54099 HIGH
8.8 Jun 22

Privilege escalation in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform allows a com

CVE-2026-1784 HIGH
8.8 Jun 02

HAProxy configuration injection in Red Hat OpenShift Container Platform 4 allows a low-privileged tenant with permission

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

CVE-2026-35091 HIGH
8.2 Apr 01

Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memor

CVE-2026-42013 HIGH
8.2 May 26

Here is the multi-source synthesis as a single JSON object: ```json { "product_name": "GnuTLS", "summary": "Certifi

CVE-2026-14476 HIGH
8.0 Jul 07

Privilege escalation to root and Kerberos-based authentication bypass in SSSD's Active Directory GPO provider affects Re

CVE-2026-12505 HIGH
7.8 Jun 18

Local privilege escalation in the cifs-utils cifs.upcall helper allows low-privileged Linux users to gain root by abusin

CVE-2026-48864 HIGH
7.8 May 26

Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a malic

Vendor StatusVendor

Share

CVE-2026-54100 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy