Skip to main content

OpenShift Router EUVDEUVD-2026-33274

| CVE-2026-46579 HIGH
Improper Authentication (CWE-287)
2026-05-29 redhat GHSA-ccmj-8c3p-4qwj
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Network-reachable HTTP listener, no auth or interaction; integrity-only impact via spoofed identity headers, no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Red Hat
7.4 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Jun 23, 2026 - 09:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 23, 2026 - 09:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 23, 2026 - 09:37 vuln.today
cvss_changed
CVSS changed
Jun 23, 2026 - 09:37 NVD
7.4 (HIGH) 7.5 (HIGH)
CVE Published
Jun 22, 2026 - 06:03 cve.org
HIGH 7.4
Analysis Generated
May 29, 2026 - 11:00 vuln.today

DescriptionNVD

A flaw was found in the OpenShift Router. When a Route has insecureEdgeTerminationPolicy set to Allow, the HTTP frontend does not remove X-SSL-Client-* headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted X-SSL-Client-* headers. As a result, backends relying on these headers for mutual TLS (Transport Layer Security) authentication can be bypassed, enabling the attacker to impersonate client certificate identities.

AnalysisAI

Authentication bypass in Red Hat OpenShift Container Platform 4 Router allows remote unauthenticated attackers to impersonate TLS client certificate identities by injecting X-SSL-Client-* headers over plain HTTP. The flaw affects Routes configured with insecureEdgeTerminationPolicy set to Allow, where the HTTP frontend fails to strip these trusted headers from inbound requests. No public exploit identified at time of analysis, EPSS is very low (0.03%), and CISA SSVC marks exploitation status as none with total technical impact.

Technical ContextAI

The OpenShift Router is the HAProxy-based ingress component that terminates TLS and forwards traffic to backend pods in OpenShift Container Platform 4. When a Route uses edge TLS termination with insecureEdgeTerminationPolicy=Allow, the router accepts plain HTTP on the same Route and is expected to sanitize identity-bearing headers like X-SSL-Client-Cert, X-SSL-Client-DN, and X-SSL-Client-Verify before proxying upstream. The CWE-287 (Improper Authentication) root cause is missing header sanitization on the HTTP listener: backends that consume these headers as proof of mTLS authentication will trust attacker-supplied values. Affected CPE strings point exclusively to red_hat:red_hat_openshift_container_platform_4, and the issue is tracked in Red Hat Bugzilla 2483181 with errata RHSA-2026:27044 and RHSA-2026:27063.

RemediationAI

Patch available per vendor advisory - apply the OpenShift updates published in RHSA-2026:27044 and RHSA-2026:27063 (linked from https://access.redhat.com/security/cve/CVE-2026-46579) for your specific OCP 4 minor stream, since exact patched router versions are not enumerated in the provided data. As a compensating control until patching, change any Route using spec.tls.insecureEdgeTerminationPolicy=Allow to either Redirect (forces HTTPS, transparent for most clients) or None/disable (rejects HTTP, may break clients that intentionally hit port 80); both close the bypass but the Redirect option preserves availability for HTTP clients. Where the Allow policy must remain, add an HAProxy or upstream filter that explicitly strips X-SSL-Client-Cert, X-SSL-Client-DN, X-SSL-Client-Verify, and related headers on the HTTP listener, and audit backend applications to require certificate re-validation or to consume mTLS identity only from headers that the router has been verified to set itself, accepting the operational cost of additional config drift.

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-54099 HIGH
8.8 Jun 22

Privilege escalation in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform allows a com

CVE-2026-1784 HIGH
8.8 Jun 02

HAProxy configuration injection in Red Hat OpenShift Container Platform 4 allows a low-privileged tenant with permission

CVE-2026-54100 HIGH
8.3 Jun 22

Credential theft in Red Hat OpenShift Container Platform's Windows Machine Config Operator (WMCO) allows adjacent-networ

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

CVE-2026-35091 HIGH
8.2 Apr 01

Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memor

CVE-2026-42013 HIGH
8.2 May 26

Here is the multi-source synthesis as a single JSON object: ```json { "product_name": "GnuTLS", "summary": "Certifi

CVE-2026-14476 HIGH
8.0 Jul 07

Privilege escalation to root and Kerberos-based authentication bypass in SSSD's Active Directory GPO provider affects Re

CVE-2026-12505 HIGH
7.8 Jun 18

Local privilege escalation in the cifs-utils cifs.upcall helper allows low-privileged Linux users to gain root by abusin

Vendor StatusVendor

Share

EUVD-2026-33274 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy