CVE-2026-10843
OpenShift Cloud Credential Operator AWS IAM Policy Privilege Escalation
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | openshift_container_platform | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-250 | The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10843 is a security flaw in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. The vulnerability arises because operator credentials are provisioned with overly broad permissions that apply account-wide, rather than being restricted to resources owned by the specific cluster.
Specifically, components like the Image Registry, Machine API, Ingress Operator, and EBS CSI Driver request IAM policies with "Resource: *" permissions for destructive actions such as managing S3 buckets, EC2 instances, Route53 records, and EBS volumes. This means the credentials can affect any AWS resource in the account, not just those related to the OpenShift cluster.
How can this vulnerability impact me? :
If an attacker gains access to the compromised operator credentialsβthrough pod compromise, RBAC escalation, or reading Secretsβthey could perform destructive actions across the entire AWS account.
- Delete S3 buckets unrelated to the cluster.
- Terminate EC2 instances outside the cluster scope.
- Modify DNS records in other hosted zones via Route53.
- Delete EBS volumes belonging to different workloads or clusters.
This broad scope of destructive capability can lead to significant data loss, service disruption, and potential compromise of other resources within the AWS account.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the OpenShift Cloud Credential Operator Mint-mode CredentialsRequest manifests are provisioning IAM policies with overly broad permissions, specifically those using "Resource: *" for destructive AWS actions.
You can inspect the IAM policies attached to the operator credentials to check for broad permissions that allow destructive actions across the AWS account.
Commands to help detect this include:
- Using AWS CLI to list IAM policies attached to the operator role and check for wildcard resource permissions, e.g.:
- aws iam list-attached-role-policies --role-name <operator-role-name>
- aws iam get-policy-version --policy-arn <policy-arn> --version-id <version-id>
- Review the policy document for statements with "Resource": "*" and actions related to S3, EC2, Route53, and EBS.
- Within OpenShift, inspect the CredentialsRequest manifests used by the Cloud Credential Operator for overly broad permissions.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting the scope of IAM policies provisioned by the Cloud Credential Operator Mint-mode CredentialsRequest manifests.
Specifically, update the IAM policies to limit permissions to cluster-owned resources rather than account-wide, removing any use of "Resource: *" for destructive actions.
Additionally, review and rotate any compromised credentials and enforce stricter RBAC controls to prevent pod compromise or unauthorized Secret access.
Monitoring and alerting on unusual destructive AWS API calls from operator credentials can also help detect exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows operator credentials to have broad, account-wide permissions on AWS resources rather than being limited to cluster-owned resources. As a result, if these credentials are compromised, an attacker could perform destructive actions across unrelated AWS resources within the same account.
Such broad access and potential for destructive actions could lead to unauthorized data access, modification, or deletion, which may violate data protection and privacy requirements under standards like GDPR and HIPAA. Specifically, the risk of cross-scope impact and destruction of resources could compromise the confidentiality, integrity, and availability of sensitive data.
Therefore, this vulnerability poses a significant risk to compliance with regulations that mandate strict access controls and protection of sensitive information.