{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mtls/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-46579"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenShift Router"],"_cs_severities":["high"],"_cs_tags":["openshift","mtls","header-injection","cve-2026-46579"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eThe OpenShift Router is susceptible to a critical security flaw identified as CVE-2026-46579. This vulnerability exists when a Route within OpenShift is configured with the \u003ccode\u003einsecureEdgeTerminationPolicy\u003c/code\u003e set to \u0026ldquo;Allow\u0026rdquo;. In this configuration, the HTTP frontend of the Router fails to sanitize incoming requests by removing potentially malicious \u003ccode\u003eX-SSL-Client-*\u003c/code\u003e headers. This oversight enables an unauthenticated attacker to craft and inject arbitrary \u003ccode\u003eX-SSL-Client-*\u003c/code\u003e headers into plain HTTP requests. The vulnerability allows bypassing mutual TLS (mTLS) authentication mechanisms and impersonating legitimate client certificate identities. This issue poses a significant risk to applications relying on mTLS for secure communication, as it can lead to unauthorized access and data compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an OpenShift Route configured with \u003ccode\u003einsecureEdgeTerminationPolicy\u003c/code\u003e set to \u0026ldquo;Allow\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a plain HTTP request containing malicious \u003ccode\u003eX-SSL-Client-*\u003c/code\u003e headers.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted HTTP request to the OpenShift Router.\u003c/li\u003e\n\u003cli\u003eThe Router, due to the misconfiguration, forwards the request with the attacker-controlled \u003ccode\u003eX-SSL-Client-*\u003c/code\u003e headers to the backend service.\u003c/li\u003e\n\u003cli\u003eThe backend service, incorrectly trusting the \u003ccode\u003eX-SSL-Client-*\u003c/code\u003e headers due to the lack of sanitization by the Router, authenticates the attacker as a legitimate client.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the backend service, impersonating the client certificate identity.\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized actions, such as accessing sensitive data or executing privileged operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-46579 allows an unauthenticated attacker to bypass mutual TLS authentication in OpenShift environments. This can lead to unauthorized access to sensitive resources, privilege escalation, and data breaches. The number of affected deployments depends on the prevalence of the vulnerable \u003ccode\u003einsecureEdgeTerminationPolicy\u003c/code\u003e configuration. Organizations relying on mutual TLS for securing backend services are at significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security patches to the OpenShift Router to address CVE-2026-46579.\u003c/li\u003e\n\u003cli\u003eReview all OpenShift Route configurations to ensure that \u003ccode\u003einsecureEdgeTerminationPolicy\u003c/code\u003e is not set to \u0026ldquo;Allow\u0026rdquo; where mutual TLS authentication is required.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect OpenShift Router mTLS Bypass Attempt via X-SSL-Client Headers\u0026rdquo; to detect attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious \u003ccode\u003eX-SSL-Client-*\u003c/code\u003e headers originating from unexpected sources or containing unusual values.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T11:18:14Z","date_published":"2026-05-29T11:18:14Z","id":"https://feed.craftedsignal.io/briefs/2026-05-openshift-router-header-bypass/","summary":"CVE-2026-46579 describes a vulnerability in the Red Hat OpenShift Router. When a Route is configured with `insecureEdgeTerminationPolicy` set to Allow, the HTTP frontend fails to remove `X-SSL-Client-*` headers from incoming requests, allowing unauthenticated attackers to bypass mutual TLS authentication and impersonate client certificate identities.","title":"OpenShift Router Vulnerability CVE-2026-46579: Mutual TLS Bypass via Header Injection","url":"https://feed.craftedsignal.io/briefs/2026-05-openshift-router-header-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Mtls","version":"https://jsonfeed.org/version/1.1"}