Severity by source
AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Adjacent-network MITM on SSH bootstrap (AV:A, AC:H), no auth needed (PR:N), no user interaction, and captured node credentials cross a trust boundary into the cluster (S:C) with full CIA impact on Windows workloads.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. WMCO establishes SSH connections to Windows worker nodes without verifying the remote server host key. An adjacent-network attacker who can intercept or redirect WMCO's SSH session can capture WICD and kubelet bootstrap credentials transferred during node configuration, enabling compromise of Windows node identities in the cluster.
AnalysisAI
Credential theft in Red Hat OpenShift Container Platform's Windows Machine Config Operator (WMCO) allows adjacent-network attackers to intercept SSH sessions to Windows worker nodes and steal WICD and kubelet bootstrap credentials. WMCO fails to verify the remote SSH host key when configuring Windows nodes, enabling a man-in-the-middle attacker positioned on the cluster network to capture credentials sufficient to assume Windows node identities. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to be on the same adjacent network segment as either the WMCO controller pod or the target Windows worker node and to perform an active MITM (ARP/NDP spoofing, rogue DHCP, or upstream router compromise) during the narrow window when WMCO initiates the SSH bootstrap to a new or reconfigured Windows node. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS:3.1 vector AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H yields 8.3 (High), driven largely by the scope change (S:C) - stealing bootstrap credentials lets the attacker pivot from a single node to cluster-level Windows workloads. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has gained a foothold on the OpenShift machine/management subnet (for example via a compromised infrastructure node or a misconfigured tenant workload sharing the VLAN) ARP-spoofs or BGP-hijacks the IP of a newly provisioned Windows node and answers WMCO's SSH connection with their own server. Because WMCO does not verify the host key, the handshake succeeds and WMCO transfers the WICD binary and kubelet bootstrap kubeconfig to the attacker, who then uses those credentials to register a rogue Windows node identity and read or tamper with Windows workloads in the cluster. … |
| Remediation | Patch available per vendor advisory - upgrade WMCO to the fixed version published by Red Hat for your OpenShift 4.x stream as referenced in https://access.redhat.com/security/cve/CVE-2026-54100 (exact fix version not enumerated in the input data, so verify against the Red Hat errata before rollout). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all OpenShift clusters running WMCO with Windows nodes and restrict network access to credential exchange traffic during node configuration. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
Privilege escalation in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform allows a com
HAProxy configuration injection in Red Hat OpenShift Container Platform 4 allows a low-privileged tenant with permission
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces
Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memor
Here is the multi-source synthesis as a single JSON object: ```json { "product_name": "GnuTLS", "summary": "Certifi
Privilege escalation to root and Kerberos-based authentication bypass in SSSD's Active Directory GPO provider affects Re
Local privilege escalation in the cifs-utils cifs.upcall helper allows low-privileged Linux users to gain root by abusin
Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a malic
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38234
GHSA-q3jf-4x8j-368q