{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/openshift-router/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-46579"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenShift Router"],"_cs_severities":["high"],"_cs_tags":["openshift","mtls","header-injection","cve-2026-46579"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eThe OpenShift Router is susceptible to a critical security flaw identified as CVE-2026-46579. This vulnerability exists when a Route within OpenShift is configured with the \u003ccode\u003einsecureEdgeTerminationPolicy\u003c/code\u003e set to \u0026ldquo;Allow\u0026rdquo;. In this configuration, the HTTP frontend of the Router fails to sanitize incoming requests by removing potentially malicious \u003ccode\u003eX-SSL-Client-*\u003c/code\u003e headers. This oversight enables an unauthenticated attacker to craft and inject arbitrary \u003ccode\u003eX-SSL-Client-*\u003c/code\u003e headers into plain HTTP requests. The vulnerability allows bypassing mutual TLS (mTLS) authentication mechanisms and impersonating legitimate client certificate identities. This issue poses a significant risk to applications relying on mTLS for secure communication, as it can lead to unauthorized access and data compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an OpenShift Route configured with \u003ccode\u003einsecureEdgeTerminationPolicy\u003c/code\u003e set to \u0026ldquo;Allow\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a plain HTTP request containing malicious \u003ccode\u003eX-SSL-Client-*\u003c/code\u003e headers.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted HTTP request to the OpenShift Router.\u003c/li\u003e\n\u003cli\u003eThe Router, due to the misconfiguration, forwards the request with the attacker-controlled \u003ccode\u003eX-SSL-Client-*\u003c/code\u003e headers to the backend service.\u003c/li\u003e\n\u003cli\u003eThe backend service, incorrectly trusting the \u003ccode\u003eX-SSL-Client-*\u003c/code\u003e headers due to the lack of sanitization by the Router, authenticates the attacker as a legitimate client.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the backend service, impersonating the client certificate identity.\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized actions, such as accessing sensitive data or executing privileged operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-46579 allows an unauthenticated attacker to bypass mutual TLS authentication in OpenShift environments. This can lead to unauthorized access to sensitive resources, privilege escalation, and data breaches. The number of affected deployments depends on the prevalence of the vulnerable \u003ccode\u003einsecureEdgeTerminationPolicy\u003c/code\u003e configuration. Organizations relying on mutual TLS for securing backend services are at significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security patches to the OpenShift Router to address CVE-2026-46579.\u003c/li\u003e\n\u003cli\u003eReview all OpenShift Route configurations to ensure that \u003ccode\u003einsecureEdgeTerminationPolicy\u003c/code\u003e is not set to \u0026ldquo;Allow\u0026rdquo; where mutual TLS authentication is required.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect OpenShift Router mTLS Bypass Attempt via X-SSL-Client Headers\u0026rdquo; to detect attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious \u003ccode\u003eX-SSL-Client-*\u003c/code\u003e headers originating from unexpected sources or containing unusual values.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T11:18:14Z","date_published":"2026-05-29T11:18:14Z","id":"https://feed.craftedsignal.io/briefs/2026-05-openshift-router-header-bypass/","summary":"CVE-2026-46579 describes a vulnerability in the Red Hat OpenShift Router. When a Route is configured with `insecureEdgeTerminationPolicy` set to Allow, the HTTP frontend fails to remove `X-SSL-Client-*` headers from incoming requests, allowing unauthenticated attackers to bypass mutual TLS authentication and impersonate client certificate identities.","title":"OpenShift Router Vulnerability CVE-2026-46579: Mutual TLS Bypass via Header Injection","url":"https://feed.craftedsignal.io/briefs/2026-05-openshift-router-header-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-42965"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenShift Router"],"_cs_severities":["medium"],"_cs_tags":["ssrf","cve","openshift"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eCVE-2026-42965 describes a server-side request forgery (SSRF) vulnerability in the OpenShift Router. This flaw allows a user with EndpointSlice write access to exploit the vulnerability by creating a Service backed by a Fully Qualified Domain Name (FQDN) EndpointSlice that resolves to a cloud metadata endpoint. The OpenShift Router will then proxy requests to the cloud metadata endpoint. This leads to the disclosure of sensitive information, specifically instance credentials and other metadata. This bypasses previous security measures designed to validate IP addresses.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized EndpointSlice write access within the OpenShift environment.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious EndpointSlice.\u003c/li\u003e\n\u003cli\u003eThe crafted EndpointSlice contains a Fully Qualified Domain Name (FQDN).\u003c/li\u003e\n\u003cli\u003eThe FQDN resolves to a cloud metadata endpoint (e.g., \u003ccode\u003e169.254.169.254\u003c/code\u003e on AWS).\u003c/li\u003e\n\u003cli\u003eThe attacker creates a Service that utilizes the malicious EndpointSlice.\u003c/li\u003e\n\u003cli\u003eThe OpenShift Router receives requests destined for the created Service.\u003c/li\u003e\n\u003cli\u003eThe router proxies these requests to the cloud metadata endpoint specified in the FQDN.\u003c/li\u003e\n\u003cli\u003eThe cloud metadata endpoint responds with sensitive data, which is then returned to the attacker, exposing instance credentials and other metadata.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-42965 allows an attacker with EndpointSlice write access to gain access to sensitive information residing within the cloud metadata service. This may include instance credentials, API keys, and other data that can be used to further compromise the OpenShift environment and the underlying cloud infrastructure. The number of affected systems is dependent on the permissions granted and the cloud infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or updates for the OpenShift Router provided by Red Hat to remediate CVE-2026-42965.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and RBAC (Role-Based Access Control) policies to limit EndpointSlice write access to only authorized users and service accounts.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual network activity and DNS queries originating from the OpenShift Router that target cloud metadata endpoints.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule that detects connections to common cloud metadata endpoints from the OpenShift Router to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T11:18:03Z","date_published":"2026-05-29T11:18:03Z","id":"https://feed.craftedsignal.io/briefs/2026-05-openshift-router-ssrf/","summary":"CVE-2026-42965 describes a server-side request forgery (SSRF) vulnerability in the OpenShift Router where a user with EndpointSlice write access can expose instance credentials by creating a service that proxies requests to a cloud metadata endpoint.","title":"OpenShift Router SSRF via FQDN EndpointSlice (CVE-2026-42965)","url":"https://feed.craftedsignal.io/briefs/2026-05-openshift-router-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — OpenShift Router","version":"https://jsonfeed.org/version/1.1"}