Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable endpoint exploitable by a low-priv authenticated dashboard user (PR:L, AC:L); the leaked SA token authenticates to the Kubernetes API, crossing a scope boundary (S:C) with full C/I/A impact on cluster resources.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
10DescriptionNVD
A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the odh-dashboard component of Red Hat OpenShift AI (RHOAI) allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain unauthorized access to Kubernetes resources.
AnalysisAI
Kubernetes Service Account token disclosure in the odh-dashboard component of Red Hat OpenShift AI (RHOAI) lets an authenticated low-privileged user retrieve SA tokens via an exposed NodeJS endpoint, then reuse them to reach Kubernetes resources beyond the dashboard's intended scope. Rated CVSS 9.9 with a changed scope, the flaw effectively converts limited dashboard access into broad cluster access. There is no public exploit identified at time of analysis and EPSS is very low (0.06%), but a vendor patch is already available via Red Hat errata.
Technical ContextAI
OpenShift AI (RHOAI) is Red Hat's machine-learning platform that runs on OpenShift/Kubernetes; odh-dashboard is its Node.js-based web frontend (derived from Open Data Hub). In Kubernetes, Service Account tokens are bearer credentials that the API server accepts for authentication and authorization - possession of a token grants whatever RBAC the associated SA holds. The root cause maps to CWE-201 (Insertion of Sensitive Information Into Sent Data): a dashboard backend endpoint returns SA token material to the client rather than keeping it server-side, exposing a credential that should never transit to the user. Because the leaked token authenticates directly to the Kubernetes API, the impact crosses a trust boundary from the application to the cluster control plane, which is reflected in the CVSS scope change (S:C).
RemediationAI
Apply the Red Hat fix by upgrading odh-dashboard / RHOAI to the patched releases shipped in the errata - Red Hat OpenShift AI 2.16 (patched image digest sha256:0a983da3...110341) and 3.3 (sha256:14ee2bbd...3293e); pull the updated operator/dashboard images per RHSA-2026:7397 (and related RHSA-2026:7403/7398/7404) at https://access.redhat.com/errata/RHSA-2026:7397 and the CVE page https://access.redhat.com/security/cve/CVE-2026-5483. Until patching is complete, reduce exposure by restricting network access to the odh-dashboard route (limit it to trusted networks/VPN or an authenticating reverse proxy) and tightening who holds dashboard access, since that limits which users can reach the leaking endpoint; as a containment measure, scope down RBAC on the affected Service Account(s) and rotate any SA tokens that may have been exposed so leaked credentials lose validity. Trade-offs: restricting the route or rotating tokens can disrupt legitimate data-science users and running workloads, so coordinate token rotation with workload owners. Track remediation against the Bugzilla record https://bugzilla.redhat.com/show_bug.cgi?id=2454764.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21547
GHSA-w59f-v72r-w493