Vulnerability in Windows Machine Config Operator for Red Hat OpenShift Container Platform
CVE-2026-54099

8.8HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Openshift Container Platform 4; Red Hat Openshift For Windows Containers
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-54099?

A flaw exists in the Windows Machine Config Operator (WMCO) used for the Red Hat OpenShift Container Platform, where the auto-approval process for Certificate Signing Requests (CSRs) does not adequately validate the organization parameters. This oversight allows for additional organization values to be accepted, potentially permitting malicious actors with control over a compromised Windows worker node to submit a CSR that can be auto-approved. Resultantly, they may obtain a client certificate that confers cluster-administrator privileges, paving the way for a total take over of the OpenShift cluster.

References

https://access.redhat.com/security/cve/CVE-2026-54099

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2487950

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 11, 2026

CVE-2026-54099 Data

JSON