{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/openshift/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.5,"id":"CVE-2026-5483"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openshift","kubernetes","token-disclosure","cve-2026-5483"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability, CVE-2026-5483, has been identified in the \u003ccode\u003eodh-dashboard\u003c/code\u003e component of Red Hat OpenShift AI (RHOAI). This flaw allows for the unintended disclosure of Kubernetes Service Account tokens via a NodeJS endpoint. Discovered in April 2026, the vulnerability stems from the insertion of sensitive information into sent data. An attacker with knowledge of the vulnerable endpoint can potentially exploit this to gain unauthorized access to Kubernetes resources within the affected OpenShift environment. This poses a significant risk, particularly in environments where OpenShift AI is used to manage sensitive data or critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Red Hat OpenShift AI instance running the vulnerable \u003ccode\u003eodh-dashboard\u003c/code\u003e component.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the vulnerable NodeJS endpoint responsible for handling Kubernetes Service Account tokens.\u003c/li\u003e\n\u003cli\u003eThe vulnerable endpoint processes the request without proper sanitization or access controls.\u003c/li\u003e\n\u003cli\u003eThe Kubernetes Service Account token is inadvertently included in the response data due to the CWE-201 vulnerability (Insertion of Sensitive Information Into Sent Data).\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts or captures the response containing the leaked Kubernetes Service Account token.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised Kubernetes Service Account token to authenticate to the Kubernetes API.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates the Kubernetes cluster to identify potential targets and resources.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised Service Account privileges to access sensitive data, modify configurations, or deploy malicious workloads within the Kubernetes cluster.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5483 can lead to unauthorized access to Kubernetes resources within a Red Hat OpenShift AI environment. The disclosure of Kubernetes Service Account tokens allows an attacker to bypass authentication controls and potentially gain complete control over the cluster. This could result in data breaches, service disruptions, and the deployment of malicious applications, affecting all users and applications relying on the compromised OpenShift AI instance. The severity is high, with a CVSS v3.1 base score of 8.5.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch provided by Red Hat via RHSA-2026:7397 to remediate the vulnerability in \u003ccode\u003eodh-dashboard\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting NodeJS endpoints associated with \u003ccode\u003eodh-dashboard\u003c/code\u003e using the \u0026ldquo;Detect OpenShift Token Disclosure Attempt\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a potential compromise and restrict access to sensitive Kubernetes resources.\u003c/li\u003e\n\u003cli\u003eEnable and review Kubernetes audit logs to detect unauthorized activity performed by compromised service accounts.\u003c/li\u003e\n\u003cli\u003eRotate Kubernetes Service Account tokens regularly to minimize the window of opportunity for an attacker to exploit leaked credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-openshift-token-disclosure/","summary":"CVE-2026-5483 is a high-severity vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) that allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint, potentially leading to unauthorized access to Kubernetes resources.","title":"Red Hat OpenShift AI odh-dashboard Kubernetes Token Disclosure (CVE-2026-5483)","url":"https://feed.craftedsignal.io/briefs/2026-04-openshift-token-disclosure/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openshift","kubernetes","networkpolicy","unauthorized-access"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability, CVE-2025-12805, has been identified in Red Hat OpenShift AI (RHOAI) llama-stack-operator. The vulnerability stems from the lack of NetworkPolicy restrictions on the llama-stack service endpoint. This allows a user within one namespace to bypass intended isolation and directly access Llama Stack services deployed in other namespaces. The vulnerability was published on March 26, 2026. Successful exploitation could lead to unauthorized data access and manipulation, impacting the…\u003c/p\u003e\n","date_modified":"2026-03-27T10:00:00Z","date_published":"2026-03-27T10:00:00Z","id":"/briefs/2026-03-openshift-ai-vuln/","summary":"CVE-2025-12805 describes a flaw in Red Hat OpenShift AI (RHOAI) llama-stack-operator that allows unauthorized access to Llama Stack services in other namespaces via direct network requests due to missing NetworkPolicy restrictions, potentially enabling attackers to view or manipulate sensitive data.","title":"Red Hat OpenShift AI Llama Stack Unauthorized Access Vulnerability (CVE-2025-12805)","url":"https://feed.craftedsignal.io/briefs/2026-03-openshift-ai-vuln/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["openshift","gitops","vulnerability","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eRed Hat OpenShift GitOps is susceptible to multiple vulnerabilities that can be exploited by an anonymous remote attacker. The vulnerabilities can lead to data manipulation, misrepresentation of information, or a denial-of-service condition. Given the widespread adoption of OpenShift in cloud environments, these vulnerabilities pose a significant risk to organizations relying on the platform for application deployment and management. Successful exploitation could lead to unauthorized modification of application configurations, leading to compromised deployments and potentially impacting service availability. Defenders should prioritize patching and implementing mitigations to prevent exploitation of these vulnerabilities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Red Hat OpenShift GitOps instance accessible remotely.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability allowing for unauthenticated access to sensitive data within the GitOps system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages another vulnerability to inject malicious code into the GitOps configuration.\u003c/li\u003e\n\u003cli\u003eThe injected code is then used to modify application deployment parameters.\u003c/li\u003e\n\u003cli\u003eThe modified parameters lead to the deployment of compromised application versions.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker exploits a denial-of-service vulnerability to disrupt the GitOps service.\u003c/li\u003e\n\u003cli\u003eThe disrupted service prevents legitimate application deployments or updates.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities in Red Hat OpenShift GitOps can lead to data manipulation, where critical application configurations are altered without authorization. Information can be misrepresented, leading to incorrect operational decisions. A denial of service can disrupt application deployments and updates, impacting service availability. The impact depends on the specific vulnerabilities exploited and the target environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview Red Hat\u0026rsquo;s security advisories for specific CVEs related to OpenShift GitOps and apply necessary patches immediately (references).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit remote access to OpenShift GitOps instances (network_connection).\u003c/li\u003e\n\u003cli\u003eMonitor OpenShift GitOps logs for suspicious activity, such as unauthorized configuration changes or access attempts (file_event, process_creation).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T10:21:36Z","date_published":"2026-03-25T10:21:36Z","id":"/briefs/2026-03-openshift-gitops-vulns/","summary":"An anonymous remote attacker can exploit multiple vulnerabilities in Red Hat OpenShift GitOps to manipulate data, misrepresent information, or cause a denial of service.","title":"Red Hat OpenShift GitOps Multiple Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-03-openshift-gitops-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed — Openshift","version":"https://jsonfeed.org/version/1.1"}