Assisted-service: assisted-service: authenticated users can gain administrative access to openshift clusters via credential disclosure

Summary

CVE	CVE-2026-7163
State	PUBLISHED
Assigner	redhat
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-04-30 14:16:36 UTC
Updated	2026-04-30 22:16:26 UTC
Description	A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. The credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace. The affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected. This issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode. Successful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters.

Risk And Classification

Primary CVSS: v3.1 6.1 MEDIUM from [email protected]

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Problem Types: CWE-312 | CWE-312 Cleartext Storage of Sensitive Information

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Secondary	6.1	MEDIUM	`CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N`
3.1	CNA	CVSS	6.1	MEDIUM	`CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N`

CVSS v3.1 Breakdown

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Red Hat	Multicluster Engine For Kubernetes 2.1	unaffected 1776983527 * rpm	Not specified
CNA	Red Hat	Multicluster Engine For Kubernetes 2.11	unaffected 1776987609 * rpm	Not specified
CNA	Red Hat	Multicluster Engine For Kubernetes 2.7	unaffected 1777205801 * rpm	Not specified
CNA	Red Hat	Multicluster Engine For Kubernetes 2.7	unaffected 1777205772 * rpm	Not specified

References

Reference	Source	Link	Tags
access.redhat.com/errata/RHSA-2026:12337	[email protected]	access.redhat.com
access.redhat.com/errata/RHSA-2026:11511	[email protected]	access.redhat.com
access.redhat.com/errata/RHSA-2026:11512	[email protected]	access.redhat.com
access.redhat.com/security/cve/CVE-2026-7163	[email protected]	access.redhat.com
bugzilla.redhat.com/show_bug.cgi	[email protected]	bugzilla.redhat.com
access.redhat.com/errata/RHSA-2026:12116	[email protected]	access.redhat.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: This issue was discovered by Nick Carboni (Red Hat), Omer Vishlitzky (Red Hat), and Riccardo Piccoli (Red Hat). (en)

Additional Advisory Data

Source	Time	Event
CNA	2026-04-27T04:18:06.534Z	Reported to Red Hat.
CNA	2026-04-30T12:00:00.000Z	Made public.

There are currently no legacy QID mappings associated with this CVE.