Openshift-pipelines-operator-rh: openshift-pipelines-operator: tekton-scheduler-rolebinding grants system:authenticated write access to kueue and cert-manager resources
CVE-2026-10840

9.6CRITICAL

Key Information:

Vendor: Red Hat
Status: Builds For Red Hat Openshift; Openshift Pipelines
Vendor: CVE Published:; 4 June 2026

What is CVE-2026-10840?

A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRole. When Kueue or cert-manager CRDs are present on the cluster, any authenticated user can disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or induce cert-manager to overwrite TLS Secrets including the default ingress controller certificate.

References

https://access.redhat.com/security/cve/CVE-2026-10840

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2484720

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
Jun 4, 2026

Credit

Red Hat would like to thank Christopher Lusk (North Echo Security Research) for reporting this issue.

CVE-2026-10840 Data

JSON