CVE-2026-10840
Awaiting Analysis Awaiting Analysis - Queue
OpenShift Pipelines Operator Privilege Escalation Vulnerability

Publication date: 2026-06-04

Last updated on: 2026-06-22

Assigner: Red Hat, Inc.

Description
A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRole. When Kueue or cert-manager CRDs are present on the cluster, any authenticated user can disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or induce cert-manager to overwrite TLS Secrets including the default ingress controller certificate.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-22
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-10840
EUVD
EUVD-2026-34248
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
redhat openshift_pipelines_operator *
tektoncd operator *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10840 is a security flaw in the OpenShift Pipelines operator, specifically involving a ClusterRoleBinding called tekton-scheduler-rolebinding.

This ClusterRoleBinding incorrectly grants all authenticated users (the system:authenticated group) cluster-wide write permissions to certain custom resources, namely Kueue and cert-manager resources.

As a result, any authenticated user can create, update, patch, or delete Kueue resources such as ResourceFlavor, Workload, and WorkloadPriorityClass, which can disrupt workload scheduling across different tenants.

Additionally, users can create or modify cert-manager resources like Certificate and Issuer, including the ability to overwrite TLS Secrets such as the default ingress controller certificate.

This vulnerability enables a confused deputy attack, where attackers exploit cert-manager's ServiceAccount to indirectly write to Secrets.

Notably, the problematic RBAC permissions are installed even if the Tekton Scheduler feature is disabled, increasing the risk of exploitation.

Impact Analysis

This vulnerability can have serious impacts on your cluster and workloads.

  • Disruption of workload scheduling across tenants by unauthorized modification or deletion of Kueue resources.
  • Tampering with scheduling priorities, potentially affecting resource allocation fairness and performance.
  • Deletion of other tenants' Workload objects, leading to denial of service or data loss.
  • Unauthorized overwriting of TLS Secrets, including the default ingress controller certificate, which can compromise secure communications.
  • Enabling confused deputy attacks that allow attackers to indirectly write to sensitive Secrets, increasing the risk of privilege escalation or data compromise.
Detection Guidance

This vulnerability can be detected by inspecting the ClusterRoleBinding named tekton-scheduler-rolebinding to see if it grants the system:authenticated group write access to Kueue and cert-manager custom resources.

You can use kubectl commands to check the permissions and bindings related to this vulnerability.

  • kubectl get clusterrolebinding tekton-scheduler-rolebinding -o yaml
  • kubectl auth can-i create workload --as=system:authenticated
  • kubectl auth can-i update certificate --as=system:authenticated

These commands help verify if the system:authenticated group has excessive write permissions to Kueue and cert-manager resources, indicating the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation involves removing or restricting the tekton-scheduler-rolebinding ClusterRoleBinding that grants write access to the system:authenticated group.

Specifically, you should:

  • Review and modify the tekton-scheduler-rolebinding to remove the system:authenticated group or limit its permissions.
  • Ensure that only trusted service accounts or users have write access to Kueue and cert-manager custom resources.
  • If the Tekton Scheduler feature is not in use, consider disabling or uninstalling the related RBAC objects to reduce attack surface.

These steps help prevent unauthorized users from disrupting workload scheduling or tampering with TLS secrets.

Compliance Impact

This vulnerability allows any authenticated user to gain write access to critical resources in the OpenShift cluster, including the ability to overwrite TLS Secrets such as the default ingress controller certificate. Such unauthorized access and potential tampering with workload scheduling and security certificates can lead to data integrity and availability issues.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the ability for attackers to disrupt workloads and overwrite TLS certificates could result in violations of these regulations' requirements for data protection, confidentiality, and system integrity.

Therefore, exploitation of this vulnerability could negatively impact compliance with common security and privacy standards by enabling unauthorized access and manipulation of sensitive system components.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10840. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart