Executive Summary

CVE-2026-10843 is a security flaw in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. The vulnerability arises because operator credentials are provisioned with overly broad permissions that apply account-wide, rather than being restricted to resources owned by the specific cluster.

Specifically, components like the Image Registry, Machine API, Ingress Operator, and EBS CSI Driver request IAM policies with "Resource: *" permissions for destructive actions such as managing S3 buckets, EC2 instances, Route53 records, and EBS volumes. This means the credentials can affect any AWS resource in the account, not just those related to the OpenShift cluster.

Useful 0 Not Useful 0

Impact Analysis

If an attacker gains access to the compromised operator credentials—through pod compromise, RBAC escalation, or reading Secrets—they could perform destructive actions across the entire AWS account.

• Delete S3 buckets unrelated to the cluster.
• Terminate EC2 instances outside the cluster scope.
• Modify DNS records in other hosted zones via Route53.
• Delete EBS volumes belonging to different workloads or clusters.

This broad scope of destructive capability can lead to significant data loss, service disruption, and potential compromise of other resources within the AWS account.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if the OpenShift Cloud Credential Operator Mint-mode CredentialsRequest manifests are provisioning IAM policies with overly broad permissions, specifically those using "Resource: *" for destructive AWS actions.

You can inspect the IAM policies attached to the operator credentials to check for broad permissions that allow destructive actions across the AWS account.

Commands to help detect this include:

• Using AWS CLI to list IAM policies attached to the operator role and check for wildcard resource permissions, e.g.:
• aws iam list-attached-role-policies --role-name <operator-role-name>
• aws iam get-policy-version --policy-arn <policy-arn> --version-id <version-id>
• Review the policy document for statements with "Resource": "*" and actions related to S3, EC2, Route53, and EBS.
• Within OpenShift, inspect the CredentialsRequest manifests used by the Cloud Credential Operator for overly broad permissions.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting the scope of IAM policies provisioned by the Cloud Credential Operator Mint-mode CredentialsRequest manifests.

Specifically, update the IAM policies to limit permissions to cluster-owned resources rather than account-wide, removing any use of "Resource: *" for destructive actions.

Additionally, review and rotate any compromised credentials and enforce stricter RBAC controls to prevent pod compromise or unauthorized Secret access.

Monitoring and alerting on unusual destructive AWS API calls from operator credentials can also help detect exploitation attempts.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows operator credentials to have broad, account-wide permissions on AWS resources rather than being limited to cluster-owned resources. As a result, if these credentials are compromised, an attacker could perform destructive actions across unrelated AWS resources within the same account.

Such broad access and potential for destructive actions could lead to unauthorized data access, modification, or deletion, which may violate data protection and privacy requirements under standards like GDPR and HIPAA. Specifically, the risk of cross-scope impact and destruction of resources could compromise the confidentiality, integrity, and availability of sensitive data.

Therefore, this vulnerability poses a significant risk to compliance with regulations that mandate strict access controls and protection of sensitive information.

Useful 0 Not Useful 0