Kubernetes/OpenShift Vulnerability in InfraEnv by Red Hat
CVE-2026-10101

6.3MEDIUM

Key Information:

Vendor: Red Hat
Status: Multicluster Engine For Kubernetes
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-10101?

A security flaw exists in Red Hat's InfraEnv where raw referenced pull-secret data is improperly written into InfraEnv.status.conditions[].message when validation fails. This vulnerability allows a namespace principal with the standard view ClusterRole to indirectly access sensitive information contained in Secrets. Normally, such principals cannot read Secrets, but they are able to extract critical data such as usernames, passwords, emails, and base64-encoded authentication fields from the status of InfraEnv objects, circumventing Kubernetes/OpenShift's Role-Based Access Control (RBAC) protections designed to separate read-only namespace viewers from secret readers.

References

https://access.redhat.com/security/cve/CVE-2026-10101

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2483298

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 29, 2026

CVE-2026-10101 Data

JSON