Odh-dashboard: odh dashboard kubernetes service account exposure
Summary
| CVE | CVE-2026-5483 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-10 18:16:46 UTC |
| Updated | 2026-04-21 19:51:11 UTC |
| Description | A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain unauthorized access to Kubernetes resources. |
Risk And Classification
Primary CVSS: v3.1 9.9 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS: 0.000640000 probability, percentile 0.197370000 (date 2026-04-15)
Problem Types: CWE-201 | CWE-201 Insertion of Sensitive Information Into Sent Data
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 9.9 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 8.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | CNA | CVSS | 8.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
ChangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Redhat | Openshift Ai | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Red Hat | Red Hat OpenShift AI 2.16 | unaffected sha256:0a983da3de4ce816435e23da23c4b6f373008aaf2df2b9820bdcc77a9a110341 * rpm | Not specified |
| CNA | Red Hat | Red Hat OpenShift AI 2.25 | unaffected sha256:15ee3fb5fedf759e82c8de8020da1931c9de8138737f1cc7cf6622847a52887f * rpm | Not specified |
| CNA | Red Hat | Red Hat OpenShift AI 3.2 | unaffected sha256:0bdb9912d41d799b0237fe75f3fdc843983ab4ebfe6b5a47f7d4a00a642c72cd * rpm | Not specified |
| CNA | Red Hat | Red Hat OpenShift AI 3.3 | unaffected sha256:14ee2bbd445b8a988c487d4b4a7b02ff9afe1c07034b4bba073a5a8263e3293e * rpm | Not specified |
| CNA | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| CNA | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| CNA | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:7403 | [email protected] | access.redhat.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:7398 | [email protected] | access.redhat.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:7397 | [email protected] | access.redhat.com | Vendor Advisory |
| bugzilla.redhat.com/show_bug.cgi | [email protected] | bugzilla.redhat.com | Issue Tracking, Vendor Advisory |
| access.redhat.com/security/cve/CVE-2026-5483 | [email protected] | access.redhat.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:7404 | [email protected] | access.redhat.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-04-03T00:00:00.000Z | Reported to Red Hat. |
| CNA | 2026-04-10T17:16:00.000Z | Made public. |
Workarounds
CNA: If applying the update is not immediately possible, the vulnerability can be mitigated by disabling or removing the NIM (NVIDIA Inference Microservice) integration from the Red Hat OpenShift AI (RHOAI) environment.
There are currently no legacy QID mappings associated with this CVE.