{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/acm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-4740"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["kubernetes","privilege-escalation","cve-2026-4740","ocm","acm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-4740, exists within Red Hat Advanced Cluster Management (ACM), which utilizes Open Cluster Management (OCM) technology. This flaw stems from the improper validation of Kubernetes client certificate renewal requests. A malicious managed cluster administrator can exploit this vulnerability to forge a client certificate. This forged certificate, if approved by the OCM controller, grants the attacker elevated privileges across different clusters. The successful exploitation of this vulnerability can lead to an attacker gaining complete control over other managed clusters and potentially the central hub cluster, posing a significant threat to the entire ACM environment. This vulnerability impacts any environment utilizing Red Hat Advanced Cluster Management.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA managed cluster administrator gains initial access to a managed Kubernetes cluster within the ACM environment.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious Kubernetes client certificate renewal request, exploiting the lack of proper validation in OCM.\u003c/li\u003e\n\u003cli\u003eThe forged certificate request is submitted to the OCM controller for approval.\u003c/li\u003e\n\u003cli\u003eDue to insufficient validation, the OCM controller approves the forged client certificate.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the approved, forged certificate to authenticate to other managed clusters.\u003c/li\u003e\n\u003cli\u003eUsing the forged certificate, the attacker escalates privileges within the targeted managed clusters.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages escalated privileges to move laterally across the cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the targeted managed clusters, potentially including the central hub cluster, allowing for data exfiltration, service disruption, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4740 can lead to complete compromise of the Red Hat Advanced Cluster Management environment. A malicious managed cluster administrator can leverage this vulnerability to gain control over other managed clusters, including the hub cluster. This allows for unauthorized access to sensitive data, disruption of critical services, and potential deployment of malicious workloads across the compromised clusters. The vulnerability has a CVSS v3.1 score of 8.2, indicating a high severity. The number of potential victims depends on the scope of ACM deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of Red Hat Advanced Cluster Management (ACM) that addresses CVE-2026-4740 to remediate the improper certificate validation.\u003c/li\u003e\n\u003cli\u003eImplement stricter validation policies for Kubernetes client certificate renewal requests within your OCM environment to prevent the forging of certificates.\u003c/li\u003e\n\u003cli\u003eMonitor Kubernetes API server logs for suspicious certificate creation or approval activities, using the \u003ccode\u003etitle: \u0026quot;Detect Suspicious Kubernetes Certificate Creation\u0026quot;\u003c/code\u003e Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement Role-Based Access Control (RBAC) policies within your Kubernetes clusters to limit the privileges of managed cluster administrators and mitigate the impact of potential privilege escalation.\u003c/li\u003e\n\u003cli\u003eMonitor the OCM controller logs for certificate-related events as they relate to CVE-2026-4740.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T15:17:46Z","date_published":"2026-04-07T15:17:46Z","id":"/briefs/2026-04-ocm-privesc/","summary":"CVE-2026-4740 describes a vulnerability in Red Hat Open Cluster Management (OCM) where improper validation of Kubernetes client certificate renewal allows a managed cluster administrator to forge certificates, enabling cross-cluster privilege escalation.","title":"Red Hat Open Cluster Management (OCM) Cross-Cluster Privilege Escalation via Forged Certificates (CVE-2026-4740)","url":"https://feed.craftedsignal.io/briefs/2026-04-ocm-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Acm","version":"https://jsonfeed.org/version/1.1"}