https://feed.craftedsignal.io/tags/openshift/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 11 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-openshift-token-disclosure/Sat, 11 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openshift-token-disclosure/CVE-2026-5483 is a high-severity vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) that allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint, potentially leading to unauthorized access to Kubernetes resources.A vulnerability, CVE-2026-5483, has been identified in the odh-dashboard component of Red Hat OpenShift AI (RHOAI). This flaw allows for the unintended disclosure of Kubernetes Service Account tokens via a NodeJS endpoint. Discovered in April 2026, the vulnerability stems from the insertion of sensitive information into sent data. An attacker with knowledge of the vulnerable endpoint can potentially exploit this to gain unauthorized access to Kubernetes resources within the affected OpenShift environment. This poses a significant risk, particularly in environments where OpenShift AI is used to manage sensitive data or critical infrastructure.

Attack Chain

1. The attacker identifies a Red Hat OpenShift AI instance running the vulnerable odh-dashboard component.
2. The attacker crafts a malicious HTTP request targeting the vulnerable NodeJS endpoint responsible for handling Kubernetes Service Account tokens.
3. The vulnerable endpoint processes the request without proper sanitization or access controls.
4. The Kubernetes Service Account token is inadvertently included in the response data due to the CWE-201 vulnerability (Insertion of Sensitive Information Into Sent Data).
5. The attacker intercepts or captures the response containing the leaked Kubernetes Service Account token.
6. The attacker uses the compromised Kubernetes Service Account token to authenticate to the Kubernetes API.
7. The attacker enumerates the Kubernetes cluster to identify potential targets and resources.
8. The attacker leverages the compromised Service Account privileges to access sensitive data, modify configurations, or deploy malicious workloads within the Kubernetes cluster.

Impact

Successful exploitation of CVE-2026-5483 can lead to unauthorized access to Kubernetes resources within a Red Hat OpenShift AI environment. The disclosure of Kubernetes Service Account tokens allows an attacker to bypass authentication controls and potentially gain complete control over the cluster. This could result in data breaches, service disruptions, and the deployment of malicious applications, affecting all users and applications relying on the compromised OpenShift AI instance. The severity is high, with a CVSS v3.1 base score of 8.5.

Recommendation

• Apply the patch provided by Red Hat via RHSA-2026:7397 to remediate the vulnerability in odh-dashboard.
• Monitor web server logs for suspicious requests targeting NodeJS endpoints associated with odh-dashboard using the “Detect OpenShift Token Disclosure Attempt” Sigma rule.
• Implement network segmentation to limit the impact of a potential compromise and restrict access to sensitive Kubernetes resources.
• Enable and review Kubernetes audit logs to detect unauthorized activity performed by compromised service accounts.
• Rotate Kubernetes Service Account tokens regularly to minimize the window of opportunity for an attacker to exploit leaked credentials.

]]>highadvisoryopenshiftkubernetestoken-disclosurecve-2026-5483https://feed.craftedsignal.io/briefs/2026-03-openshift-ai-vuln/Fri, 27 Mar 2026 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-openshift-ai-vuln/CVE-2025-12805 describes a flaw in Red Hat OpenShift AI (RHOAI) llama-stack-operator that allows unauthorized access to Llama Stack services in other namespaces via direct network requests due to missing NetworkPolicy restrictions, potentially enabling attackers to view or manipulate sensitive data.<p>A vulnerability, CVE-2025-12805, has been identified in Red Hat OpenShift AI (RHOAI) llama-stack-operator. The vulnerability stems from the lack of NetworkPolicy restrictions on the llama-stack service endpoint. This allows a user within one namespace to bypass intended isolation and directly access Llama Stack services deployed in other namespaces. The vulnerability was published on March 26, 2026. Successful exploitation could lead to unauthorized data access and manipulation, impacting the…</p> highadvisoryopenshiftkubernetesnetworkpolicyunauthorized-accesshttps://feed.craftedsignal.io/briefs/2026-03-openshift-gitops-vulns/Wed, 25 Mar 2026 10:21:36 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-openshift-gitops-vulns/An anonymous remote attacker can exploit multiple vulnerabilities in Red Hat OpenShift GitOps to manipulate data, misrepresent information, or cause a denial of service.Red Hat OpenShift GitOps is susceptible to multiple vulnerabilities that can be exploited by an anonymous remote attacker. The vulnerabilities can lead to data manipulation, misrepresentation of information, or a denial-of-service condition. Given the widespread adoption of OpenShift in cloud environments, these vulnerabilities pose a significant risk to organizations relying on the platform for application deployment and management. Successful exploitation could lead to unauthorized modification of application configurations, leading to compromised deployments and potentially impacting service availability. Defenders should prioritize patching and implementing mitigations to prevent exploitation of these vulnerabilities.

Attack Chain

1. The attacker identifies a vulnerable Red Hat OpenShift GitOps instance accessible remotely.
2. The attacker exploits a vulnerability allowing for unauthenticated access to sensitive data within the GitOps system.
3. The attacker leverages another vulnerability to inject malicious code into the GitOps configuration.
4. The injected code is then used to modify application deployment parameters.
5. The modified parameters lead to the deployment of compromised application versions.
6. Alternatively, the attacker exploits a denial-of-service vulnerability to disrupt the GitOps service.
7. The disrupted service prevents legitimate application deployments or updates.

Impact

Successful exploitation of these vulnerabilities in Red Hat OpenShift GitOps can lead to data manipulation, where critical application configurations are altered without authorization. Information can be misrepresented, leading to incorrect operational decisions. A denial of service can disrupt application deployments and updates, impacting service availability. The impact depends on the specific vulnerabilities exploited and the target environment.

Recommendation

• Review Red Hat’s security advisories for specific CVEs related to OpenShift GitOps and apply necessary patches immediately (references).
• Implement network segmentation to limit remote access to OpenShift GitOps instances (network_connection).
• Monitor OpenShift GitOps logs for suspicious activity, such as unauthorized configuration changes or access attempts (file_event, process_creation).

]]>mediumadvisoryopenshiftgitopsvulnerabilitycloud