CVE-2026-10840
OpenShift Pipelines Operator Privilege Escalation Vulnerability
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | openshift_pipelines_operator | * |
| tektoncd | operator | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10840 is a security flaw in the OpenShift Pipelines operator, specifically involving a ClusterRoleBinding called tekton-scheduler-rolebinding.
This ClusterRoleBinding incorrectly grants all authenticated users (the system:authenticated group) cluster-wide write permissions to certain custom resources, namely Kueue and cert-manager resources.
As a result, any authenticated user can create, update, patch, or delete Kueue resources such as ResourceFlavor, Workload, and WorkloadPriorityClass, which can disrupt workload scheduling across different tenants.
Additionally, users can create or modify cert-manager resources like Certificate and Issuer, including the ability to overwrite TLS Secrets such as the default ingress controller certificate.
This vulnerability enables a confused deputy attack, where attackers exploit cert-manager's ServiceAccount to indirectly write to Secrets.
Notably, the problematic RBAC permissions are installed even if the Tekton Scheduler feature is disabled, increasing the risk of exploitation.
How can this vulnerability impact me? :
This vulnerability can have serious impacts on your cluster and workloads.
- Disruption of workload scheduling across tenants by unauthorized modification or deletion of Kueue resources.
- Tampering with scheduling priorities, potentially affecting resource allocation fairness and performance.
- Deletion of other tenants' Workload objects, leading to denial of service or data loss.
- Unauthorized overwriting of TLS Secrets, including the default ingress controller certificate, which can compromise secure communications.
- Enabling confused deputy attacks that allow attackers to indirectly write to sensitive Secrets, increasing the risk of privilege escalation or data compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the ClusterRoleBinding named tekton-scheduler-rolebinding to see if it grants the system:authenticated group write access to Kueue and cert-manager custom resources.
You can use kubectl commands to check the permissions and bindings related to this vulnerability.
- kubectl get clusterrolebinding tekton-scheduler-rolebinding -o yaml
- kubectl auth can-i create workload --as=system:authenticated
- kubectl auth can-i update certificate --as=system:authenticated
These commands help verify if the system:authenticated group has excessive write permissions to Kueue and cert-manager resources, indicating the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves removing or restricting the tekton-scheduler-rolebinding ClusterRoleBinding that grants write access to the system:authenticated group.
Specifically, you should:
- Review and modify the tekton-scheduler-rolebinding to remove the system:authenticated group or limit its permissions.
- Ensure that only trusted service accounts or users have write access to Kueue and cert-manager custom resources.
- If the Tekton Scheduler feature is not in use, consider disabling or uninstalling the related RBAC objects to reduce attack surface.
These steps help prevent unauthorized users from disrupting workload scheduling or tampering with TLS secrets.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows any authenticated user to gain write access to critical resources in the OpenShift cluster, including the ability to overwrite TLS Secrets such as the default ingress controller certificate. Such unauthorized access and potential tampering with workload scheduling and security certificates can lead to data integrity and availability issues.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the ability for attackers to disrupt workloads and overwrite TLS certificates could result in violations of these regulations' requirements for data protection, confidentiality, and system integrity.
Therefore, exploitation of this vulnerability could negatively impact compliance with common security and privacy standards by enabling unauthorized access and manipulation of sensitive system components.