CVE-2026-10609
Analyzed
Analyzed - Analysis Complete
OpenShift Cluster Logging Operator Missing Authorization Flaw
Vulnerability report for CVE-2026-10609, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-23
Last updated on: 2026-07-08
Assigner: Red Hat, Inc.
Description
Description
A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials, allowing a delegated editor to exfiltrate SA tokens and escalate privileges.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | logging_subsystem_for_red_hat_openshift | * |
| redhat | cluster_logging_operator | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |