Configuration Flaw in Internal Proxy of Red Hat Runtimes Inventory Operator
CVE-2025-11393

8.7HIGH

Key Information:

Vendor

Red Hat
Status
Red Hat Lightspeed (formerly Insights) For Runtimes 1.0
Red Hat Runtimes Inventory Operator
Vendor
CVE Published:
15 December 2025

What is CVE-2025-11393?

A configuration flaw in the Runtimes Inventory Operator for RHEL 8 exposes the internal proxy component to misuse. It improperly associates the cluster's main administrative credentials with any command it processes. As a result, a standard user could potentially execute unauthorized commands, mimicking the role of the cluster administrator. This vulnerability may enable unintended modifications to the cluster's configuration or operational status, posing significant risks to the integrity and security of the Red Hat environment.

Affected Version(s)

Red Hat Lightspeed (formerly Insights) for Runtimes 1.0 sha256:08f473dec97e110a73e1c9886ee31512bb6937f87bdb95fbe77cb2d85695b936

References

https://access.redhat.com/errata/RHSA-2025:23236
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2025-11393
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2402032
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.