CVE-2026-4740
Received Received - Intake
Improper Certificate Validation in Open Cluster Management Enables Privilege Escalation

Publication date: 2026-04-07

Last updated on: 2026-04-28

Assigner: Red Hat, Inc.

Description
A flaw was found in Open Cluster Management (OCM), the technology underlying Red Hat Advanced Cluster Management (ACM). Improper validation of Kubernetes client certificate renewal allows a managed cluster administrator to forge a client certificate that can be approved by the OCM controller. This enables cross-cluster privilege escalation and may allow an attacker to gain control over other managed clusters, including the hub cluster.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4740
EUVD
EUVD-2026-19690
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat advanced_cluster_management_for_kubernetes *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4740 is a high-severity vulnerability in Open Cluster Management (OCM), the technology behind Red Hat Advanced Cluster Management (ACM). It arises from improper validation of Kubernetes client certificate renewal requests.

Specifically, the OCM controller does not correctly validate renewed client certificates, allowing a managed cluster administrator to forge a client certificate that the controller will approve.

This flaw is worsened by predictable cluster name prefix matching, which enables an attacker with access to one managed cluster to escalate privileges across clusters.

As a result, the attacker can potentially gain control over other managed clusters, including the central hub cluster, leading to cross-cluster privilege escalation.

Impact Analysis

This vulnerability allows an attacker who already has administrative access to at least one managed cluster to escalate their privileges to other managed clusters and the central hub cluster.

By forging client certificates, the attacker can gain permissions to manage ManifestWork resources, which enable deployment of arbitrary Kubernetes resources on managed clusters.

Because the hub cluster is registered as a managed cluster, an attacker can escalate privileges to the hub cluster, effectively gaining cluster-admin level access.

This means the attacker can deploy arbitrary resources on the hub cluster and control the entire Kubernetes cluster fleet managed by Red Hat Advanced Cluster Management.

The impact includes high confidentiality, integrity, and availability risks across the affected clusters.

Detection Guidance

Detection of this vulnerability involves monitoring Kubernetes CertificateSigningRequest (CSR) objects for suspicious renewal requests that have manipulated group names with prefixes matching other clusters. An attacker forges CSRs with group names that share the same prefix as the target cluster to gain unauthorized approval.

To detect potential exploitation, you can inspect CSRs in your Kubernetes clusters for unusual or unexpected group names or cluster name labels that do not exactly match the cluster identity.

Suggested commands to help detect suspicious CSRs include:

  • kubectl get certificatesigningrequests
  • kubectl describe certificatesigningrequest <csr-name>
  • kubectl get csr -o json | jq '.items[] | select(.spec.username | test("^system:open-cluster-management:.*")) | {name: .metadata.name, username: .spec.username, groups: .spec.groups, labels: .metadata.labels}'

Look specifically for CSRs where the group names or the label `open-cluster-management.io/cluster-name` have prefixes that could be forged or do not exactly match the expected cluster name.

Mitigation Strategies

Immediate mitigation steps include:

  • Restrict permissions on ManifestWork resources and secrets in managed clusters to limit the ability of an attacker to deploy arbitrary resources.
  • Limit the lifetime and scope of bootstrap JWT tokens used for certificate issuance to reduce the window of opportunity for exploitation.
  • Monitor and audit CSR renewal requests closely to detect and block forged CSRs with manipulated group names.
  • Consider architectural changes to enforce unidirectional communication from the hub cluster to managed clusters to reduce lateral movement risks.

Long-term mitigation requires updating the OCM controller to improve CSR validation logic so that group names exactly match the cluster name and cannot be forged by prefix matching.

Compliance Impact

The vulnerability allows an attacker with administrative access to a managed cluster to escalate privileges to the hub cluster, potentially gaining full control over the entire Kubernetes cluster fleet. This cross-cluster privilege escalation can lead to unauthorized access, modification, and deployment of arbitrary resources across clusters.

Such unauthorized access and control over sensitive cluster resources could result in breaches of confidentiality, integrity, and availability of data and systems managed within these clusters.

Consequently, this vulnerability may impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and systems, as well as measures to prevent unauthorized privilege escalation and data breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4740. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart