CVE-2026-46579
OpenShift Router X-SSL-Client Header Injection Vulnerability
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | openshift_router | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the OpenShift Router's HTTP frontend when a Route has the insecureEdgeTerminationPolicy set to Allow. Normally, the router removes X-SSL-Client-* headers from incoming HTTP requests to prevent spoofing. However, due to this flaw, these headers are not removed, allowing an attacker to send crafted X-SSL-Client-* headers in plain HTTP requests.
As a result, backends that rely on these headers for mutual TLS authentication can be tricked into accepting forged client certificate identities, enabling an unauthenticated attacker to impersonate legitimate clients.
How can this vulnerability impact me? :
This vulnerability can have serious security impacts by allowing an attacker to bypass mutual TLS authentication mechanisms.
- An attacker can impersonate any client certificate identity by sending forged X-SSL-Client-* headers.
- Unauthorized access to backend systems can be gained without proper authentication.
- This can lead to data breaches, unauthorized actions, and compromise of sensitive systems relying on client certificate authentication.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the OpenShift Router for the presence of X-SSL-Client-* headers, which should normally only be set by HTTPS frontends after a TLS handshake.
You can use network traffic inspection tools or commands to check for incoming HTTP requests containing headers like X-SSL-Client-DN, X-SSL-Client-DER, X-SSL-Client-NotAfter, X-SSL-Client-NotBefore, X-SSL-Client-SHA1, and X-SSL-Client-Subject.
- Use tcpdump or tshark to capture HTTP traffic and filter for X-SSL-Client-* headers.
- Example tcpdump command: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'X-SSL-Client-'
- Use curl or similar HTTP clients to test sending crafted HTTP requests with X-SSL-Client-* headers to your OpenShift Router and observe if they are forwarded to the backend.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should avoid using the insecureEdgeTerminationPolicy set to Allow on Routes in OpenShift Router.
Ensure that the HTTP frontend strips or blocks incoming X-SSL-Client-* headers to prevent attackers from injecting forged headers.
Consider configuring Routes to use secure termination policies that enforce TLS and proper header handling.
Apply any patches or updates provided by Red Hat or your OpenShift vendor that address this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to bypass mutual TLS authentication by impersonating client certificate identities, leading to unauthorized access to backend systems.
Such unauthorized access can result in exposure or compromise of sensitive data, which may violate compliance requirements under standards like GDPR and HIPAA that mandate strong authentication and protection of personal and health information.
Therefore, the flaw can negatively impact compliance by undermining the security controls designed to protect sensitive data and ensure authenticated access.