Security Flaw in OpenShift Router Affects Client Certificate Authentication
CVE-2026-46579

7.4HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Openshift Container Platform 4
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-46579?

A security flaw in the OpenShift Router arises when the insecureEdgeTerminationPolicy is set to Allow. In this scenario, the HTTP frontend fails to strip X-SSL-Client-* headers from incoming requests. Consequently, an unauthorized attacker can exploit this flaw by sending non-encrypted HTTP requests that contain specifically crafted X-SSL-Client-* headers. This exploitation allows the attacker to bypass mutual TLS authentication mechanisms, thereby impersonating client certificate identities, which can lead to unauthorized access to sensitive backend services.

References

https://access.redhat.com/security/cve/CVE-2026-46579

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2483181

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 28, 2026

Credit

This issue was discovered by Ricardo Pchevuzinske Katz (Red Hat).

CVE-2026-46579 Data

JSON