Odh-dashboard: odh dashboard kubernetes service account exposure
Summary
| CVE | CVE-2026-5483 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-10 18:16:46 UTC |
| Updated | 2026-06-30 03:21:07 UTC |
| Description | A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain unauthorized access to Kubernetes resources. |
Risk And Classification
Primary CVSS: v3.1 9.9 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS: 0.000640000 probability, percentile 0.197370000 (date 2026-04-15)
Problem Types: CWE-201 | CWE-201 Insertion of Sensitive Information Into Sent Data
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 9.9 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | ADP | CVSS | 8.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 8.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | CNA | CVSS | 8.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Redhat | Openshift Ai | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Red Hat | Red Hat OpenShift AI 2.16 | unaffected 1775230902 * rpm | Not specified |
| CNA | Red Hat | Red Hat OpenShift AI 2.25 | unaffected 1775234711 * rpm | Not specified |
| CNA | Red Hat | Red Hat OpenShift AI 3.2 | unaffected 1775523049 * rpm | Not specified |
| CNA | Red Hat | Red Hat OpenShift AI 3.3 | unaffected 1775239958 * rpm | Not specified |
| CNA | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| CNA | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| CNA | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 2.16 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 2.25 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/security/cve/CVE-2026-5483 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:7403 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:7397 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Vendor Advisory |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | Issue Tracking, Vendor Advisory |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-5483.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:7398 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:7404 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-04-03T00:00:00.000Z | Reported to Red Hat. |
| CNA | 2026-04-10T17:16:00.000Z | Made public. |
| ADP | 2026-04-03T00:00:00.000Z | Reported to Red Hat. |
| ADP | 2026-04-10T17:16:00.000Z | Made public. |
Solutions
ADP: RHSA-2026:7397: Red Hat OpenShift AI 2.16
ADP: RHSA-2026:7398: Red Hat OpenShift AI 2.25
ADP: RHSA-2026:7404: Red Hat OpenShift AI 3.2
ADP: RHSA-2026:7403: Red Hat OpenShift AI 3.3
Workarounds
CNA: If applying the update is not immediately possible, the vulnerability can be mitigated by disabling or removing the NIM (NVIDIA Inference Microservice) integration from the Red Hat OpenShift AI (RHOAI) environment.
ADP: If applying the update is not immediately possible, the vulnerability can be mitigated by disabling or removing the NIM (NVIDIA Inference Microservice) integration from the Red Hat OpenShift AI (RHOAI) environment.