CVE-2026-7163
Authentication Bypass in Multicluster Engine
Publication date: 2026-04-30
Last updated on: 2026-05-05
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | multicluster_engine_for_kubernetes | 2.1 |
| redhat | multicluster_engine_for_kubernetes | 2.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-312 | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7163 is a vulnerability in the assisted-service REST API, an optional component of the Multicluster Engine (MCE) used in OpenShift clusters.
It allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for any cluster provisioned through the hub.
This happens because the credentials download endpoint and the kubeconfig download endpoint are accessible in AUTH_TYPE=local mode, which is the only authentication mode available in on-premises ACM/MCE hub deployments.
The local authenticator grants full administrative access to any request with a valid JWT, without per-endpoint restrictions.
A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL, which can be read by any user with get rights on an InfraEnv object in their namespace.
Successful exploitation provides the attacker with the kubeadmin password and kubeconfig for any OpenShift cluster, granting unrestricted root-level administrative access.
How can this vulnerability impact me? :
This vulnerability can have a significant impact because it allows an attacker with minimal privileges to gain full administrative access to any OpenShift cluster provisioned through the affected hub.
With the obtained kubeadmin password and kubeconfig, the attacker can control the cluster at the root level, potentially leading to unauthorized changes, data breaches, or disruption of services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for the presence of the assisted-service REST API component in your Multicluster Engine (MCE) or Red Hat Advanced Cluster Management (ACM) deployment, specifically when running in AUTH_TYPE=local mode.
You can attempt to identify if the credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials) and kubeconfig download endpoint are accessible with minimal privileges by using commands that query these endpoints with a valid JWT token.
Since a valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL, you can check for this URL in your namespaces by running commands to list InfraEnv objects and inspecting the ISODownloadURL field.
- Use kubectl to list InfraEnv objects and check ISODownloadURL: kubectl get infraenv -n <namespace> -o jsonpath='{.items[*].status.isoDownloadURL}'
- Attempt to access the credentials endpoint with a valid JWT token to see if kubeadmin credentials can be retrieved: curl -H "Authorization: Bearer <JWT>" https://<hub-url>/v2/clusters/<cluster_id>/credentials
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the assisted-service REST API endpoints and limiting the permissions of users who can get InfraEnv objects in their namespaces.
Since the vulnerability arises from the local authenticator granting full administrative access with any valid JWT and the exposure of the JWT in InfraEnvStatus.ISODownloadURL, you should consider:
- Review and tighten RBAC policies to prevent users with minimal namespace-scoped privileges from accessing InfraEnv objects.
- Avoid using AUTH_TYPE=local mode if possible, or apply additional access controls around the assisted-service endpoints.
- Monitor and audit usage of the credentials and kubeconfig download endpoints to detect unauthorized access.
Applying vendor patches or updates addressing this vulnerability as soon as they become available is also critical.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated user with minimal privileges to obtain administrative credentials for arbitrary clusters, granting unrestricted root-level access. This unauthorized access to sensitive administrative credentials could lead to unauthorized data access or control over systems, potentially impacting compliance with standards and regulations such as GDPR and HIPAA that require strict access controls and protection of sensitive data.
However, the provided information does not explicitly describe the direct impact on compliance with specific standards or regulations.