CVE-2026-10101
Awaiting Analysis Awaiting Analysis - Queue

ACM/MCE pull-secret exposure via InfraEnv status conditions

Vulnerability report for CVE-2026-10101, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-29

Last updated on: 2026-07-02

Assigner: Red Hat, Inc.

Description

ACM/MCE assisted-service writes raw referenced pull-secret contents into `InfraEnv.status.conditions[].message` when pull-secret validation fails. A namespace principal with the stock `view` ClusterRole cannot directly read Secrets, but can read `InfraEnv` objects and recover the referenced Secret's `.dockerconfigjson` data from status. This bypasses the Kubernetes/OpenShift RBAC separation between read-only namespace viewers and Secret readers. In the reproduced proof, the same ServiceAccount was denied `get` and `list` on Secrets, but recovered synthetic pull-secret `username`, `password`, `email`, and base64 `auth` fields through `InfraEnv.status`.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-29
Last Modified
2026-07-02
Generated
2026-07-09
AI Q&A
2026-05-29
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
redhat openshift *
redhat assisted-service From 2026-05-29 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthorized users with only the default 'view' ClusterRole to access sensitive pull-secret data, including usernames, passwords, emails, and authentication tokens, by bypassing Kubernetes/OpenShift RBAC restrictions.

Such unauthorized access to sensitive authentication credentials could lead to data breaches or unauthorized system access, which may violate compliance requirements under standards like GDPR and HIPAA that mandate strict controls over access to sensitive information.

Therefore, this vulnerability potentially undermines compliance with these regulations by exposing sensitive secrets to users who should not have access, increasing the risk of data exposure and non-compliance.

Executive Summary

CVE-2026-10101 is a security vulnerability in the assisted-service component of ACM/MCE where sensitive pull-secret data is unintentionally exposed. When pull-secret validation fails, the raw contents of the referenced pull-secret are written into the InfraEnv object's status conditions message field. This allows a user with only the default 'view' ClusterRole, which normally cannot read Secrets directly, to access sensitive pull-secret information such as usernames, passwords, emails, and base64-encoded authentication data by reading the InfraEnv status.

This vulnerability effectively bypasses the Kubernetes/OpenShift Role-Based Access Control (RBAC) separation between users who can view namespace resources and those who can read Secrets, enabling unauthorized access to secret credentials.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive credentials stored in pull-secrets, such as usernames, passwords, and authentication tokens. An attacker or unauthorized user with only read access to InfraEnv objects but no direct permission to read Secrets can recover these credentials.

Such exposure can compromise the security of container registries or other services relying on these pull-secrets, potentially leading to unauthorized access, data breaches, or further exploitation within the affected Kubernetes or OpenShift environment.

Detection Guidance

This vulnerability can be detected by inspecting the `InfraEnv.status.conditions[].message` fields in your Kubernetes/OpenShift cluster to see if they contain raw pull-secret contents, especially after pull-secret validation failures.

Since a user with the `view` ClusterRole can read `InfraEnv` objects but not Secrets, you can attempt to retrieve the `InfraEnv` objects and check their status messages for leaked secret data.

  • Use kubectl or oc commands to list InfraEnv objects and describe their status conditions, for example:
  • `kubectl get infraenv -n <namespace>`
  • `kubectl describe infraenv <infraenv-name> -n <namespace>`
  • Look specifically at the `status.conditions[].message` fields for any raw pull-secret data such as `.dockerconfigjson` contents.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10101. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart