CVE-2026-10101
Awaiting Analysis Awaiting Analysis - Queue
ACM/MCE pull-secret exposure via InfraEnv status conditions

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: Red Hat, Inc.

Description
ACM/MCE assisted-service writes raw referenced pull-secret contents into `InfraEnv.status.conditions[].message` when pull-secret validation fails. A namespace principal with the stock `view` ClusterRole cannot directly read Secrets, but can read `InfraEnv` objects and recover the referenced Secret's `.dockerconfigjson` data from status. This bypasses the Kubernetes/OpenShift RBAC separation between read-only namespace viewers and Secret readers. In the reproduced proof, the same ServiceAccount was denied `get` and `list` on Secrets, but recovered synthetic pull-secret `username`, `password`, `email`, and base64 `auth` fields through `InfraEnv.status`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-10101
EUVD
EUVD-2026-33342
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
redhat openshift *
redhat assisted-service From 2026-05-29 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10101 is a security vulnerability in the assisted-service component of ACM/MCE where sensitive pull-secret data is unintentionally exposed. When pull-secret validation fails, the raw contents of the referenced pull-secret are written into the InfraEnv object's status conditions message field. This allows a user with only the default 'view' ClusterRole, which normally cannot read Secrets directly, to access sensitive pull-secret information such as usernames, passwords, emails, and base64-encoded authentication data by reading the InfraEnv status.

This vulnerability effectively bypasses the Kubernetes/OpenShift Role-Based Access Control (RBAC) separation between users who can view namespace resources and those who can read Secrets, enabling unauthorized access to secret credentials.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive credentials stored in pull-secrets, such as usernames, passwords, and authentication tokens. An attacker or unauthorized user with only read access to InfraEnv objects but no direct permission to read Secrets can recover these credentials.

Such exposure can compromise the security of container registries or other services relying on these pull-secrets, potentially leading to unauthorized access, data breaches, or further exploitation within the affected Kubernetes or OpenShift environment.

Compliance Impact

This vulnerability allows unauthorized users with only the default 'view' ClusterRole to access sensitive pull-secret data, including usernames, passwords, emails, and authentication tokens, by bypassing Kubernetes/OpenShift RBAC restrictions.

Such unauthorized access to sensitive authentication credentials could lead to data breaches or unauthorized system access, which may violate compliance requirements under standards like GDPR and HIPAA that mandate strict controls over access to sensitive information.

Therefore, this vulnerability potentially undermines compliance with these regulations by exposing sensitive secrets to users who should not have access, increasing the risk of data exposure and non-compliance.

Detection Guidance

This vulnerability can be detected by inspecting the `InfraEnv.status.conditions[].message` fields in your Kubernetes/OpenShift cluster to see if they contain raw pull-secret contents, especially after pull-secret validation failures.

Since a user with the `view` ClusterRole can read `InfraEnv` objects but not Secrets, you can attempt to retrieve the `InfraEnv` objects and check their status messages for leaked secret data.

  • Use kubectl or oc commands to list InfraEnv objects and describe their status conditions, for example:
  • `kubectl get infraenv -n <namespace>`
  • `kubectl describe infraenv <infraenv-name> -n <namespace>`
  • Look specifically at the `status.conditions[].message` fields for any raw pull-secret data such as `.dockerconfigjson` contents.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10101. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart