Openshift-pipelines-operator-rh: openshift-pipelines-operator: tekton-scheduler-rolebinding grants system:authenticated write access to kueue and cert-manager resources
Summary
| CVE | CVE-2026-10840 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-04 12:16:24 UTC |
| Updated | 2026-06-04 15:35:18 UTC |
| Description | A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRole. When Kueue or cert-manager CRDs are present on the cluster, any authenticated user can disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or induce cert-manager to overwrite TLS Secrets including the default ingress controller certificate. |
Risk And Classification
Primary CVSS: v3.1 9.6 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
Problem Types: CWE-732 | CWE-732 Incorrect Permission Assignment for Critical Resource
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H |
| 3.1 | CNA | CVSS | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Red Hat | Builds For Red Hat OpenShift | Not specified | Not specified |
| CNA | Red Hat | OpenShift Pipelines | Not specified | Not specified |
| CNA | Red Hat | OpenShift Pipelines | Not specified | Not specified |
| CNA | Red Hat | OpenShift Pipelines | Not specified | Not specified |
| CNA | Red Hat | OpenShift Pipelines | Not specified | Not specified |
| CNA | Red Hat | OpenShift Pipelines | Not specified | Not specified |
| CNA | Red Hat | OpenShift Pipelines | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/security/cve/CVE-2026-10840 | [email protected] | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | [email protected] | bugzilla.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Red Hat would like to thank Christopher Lusk (North Echo Security Research) for reporting this issue. (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-04-25T00:00:00.000Z | Reported to Red Hat. |
| CNA | 2026-04-25T00:00:00.000Z | Made public. |
Workarounds
CNA: If the Tekton Scheduler feature is not in use, administrators can mitigate this by patching the ClusterRoleBinding to reference a specific ServiceAccount instead of system:authenticated: oc patch clusterrolebinding tekton-scheduler-rolebinding --type=merge -p '{"subjects": [{"kind": "ServiceAccount", "name": "openshift-pipelines-operator", "namespace": "openshift-operators"}]}' IMPORTANT: The OpenShift Pipelines operator's reconciliation loop may revert this manual patch. Verify that the operator does not reconcile this binding back to system:authenticated after applying the mitigation. If it does, scale down the operator deployment or configure the operator to skip reconciliation of this object. Alternatively, the ClusterRoleBinding can be deleted if the Tekton Scheduler is not enabled.