CVE-2026-7163
6.1 MEDIUMA vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine ...
Published: 2026-04-30 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 6.1 MEDIUM
- Vector
- CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
- CWE
- CWE-312
Affected products
| Vendor | Product |
|---|---|
| redhat | multicluster_engine_for_kubernetes |
Description
A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. The credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace. The affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected. This issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode. Successful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-7163
- [Vendor advisory]https://access.redhat.com/errata/RHSA-2026:11511
- [Vendor advisory]https://access.redhat.com/errata/RHSA-2026:11512
- [Vendor advisory]https://access.redhat.com/errata/RHSA-2026:12116
- [Vendor advisory]https://access.redhat.com/errata/RHSA-2026:12337
- [Other]https://access.redhat.com/errata/RHSA-2026:18584
- [Other]https://access.redhat.com/errata/RHSA-2026:18585
- [Vendor advisory]https://access.redhat.com/security/cve/CVE-2026-7163
- [Other]https://bugzilla.redhat.com/show_bug.cgi?id=2463152
Related CVEs
Same vendor
- CVE-2026-1767 — A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component (5.6 MEDIUM)
- CVE-2026-1766 — A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 com... (5.6 MEDIUM)
- CVE-2026-11793 — A stack buffer overflow flaw was found in 389 Directory Server (4.9 MEDIUM)
- CVE-2026-11790 — A flaw was found in 389 Directory Server (4.9 MEDIUM)
- CVE-2026-11789 — A flaw was found in 389 Directory Server (4.9 MEDIUM)
Same CWE
- CVE-2026-46622 — SolidInvoice is an open-source invoicing platform (8.1 HIGH)
- CVE-2026-10786 — Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain... (6.5 MEDIUM)
- CVE-2026-36176 — GNCC GP5 v7.1.76 was discovered to store pre-signed Backblaze B2 upload URLs (PUT requests) in plaintext to the serial console (7.1 HIGH)
- CVE-2026-4387 — StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a...
- CVE-2026-45040 — RustFS is a distributed object storage system built in Rust