Skip to main content

RHACS Central CVE-2026-9165

| EUVDEUVD-2026-41859 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-07-06 redhat GHSA-fw53-q2vg-jr6g
7.7
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Network-reachable GraphQL API with low complexity and a required API token gives AV:N/AC:L/PR:L; availability-only impact confined to Central yields A:H and S:U (I judge scope unchanged, unlike vendor S:C).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 09:21 vuln.today

DescriptionCVE.org

A flaw was found in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central, resulting in a denial of service for the management plane.

AnalysisAI

Authenticated denial of service in Red Hat Advanced Cluster Security for Kubernetes (RHACS) 4 allows any user holding a valid API token to exhaust Central's resources. Because Central does not cap the nesting depth of queries served on its authenticated GraphQL API, a single deeply nested query can drive excessive CPU and memory consumption and take down the RHACS management plane. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid RHACS API token
Delivery
Reach Central GraphQL endpoint
Exploit
Submit deeply nested query
Execution
Resolver tree exhausts CPU/memory
Persist
Central becomes unresponsive
Impact
Management plane denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session against Central's GraphQL API - specifically a valid RHACS API token (PR:L) - and network reachability to the Central endpoint (AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H (7.7, High) is internally consistent with the description: network-reachable API, low complexity, low privileges (a valid API token), no user interaction, and a pure availability impact with no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An insider or a user whose RHACS API token has leaked authenticates to Central's GraphQL API and submits a single deeply nested query. Central attempts to resolve the exponentially expanding query tree, spiking CPU and memory until it becomes unresponsive, cutting off security policy enforcement and monitoring for every cluster Central manages. …
Remediation No vendor-released patch version is specified in the available data, so consult the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-9165 for the fixed RHACS 4.x release and upgrade Central to it once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit all issued API tokens, revoke unnecessary credentials, and restrict token creation to essential service accounts only; enable GraphQL API query logging and monitoring. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-9165 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy