Authentication Flaw in Multicluster Engine by Red Hat Permits Unauthorized Access
CVE-2026-7163

6.1MEDIUM

Key Information:

Vendor: Red Hat
Status: Multicluster Engine For Kubernetes
Vendor: CVE Published:; 30 April 2026

What is CVE-2026-7163?

A vulnerability exists in the assisted-service REST API within the optional Assisted Installer component of the Multicluster Engine (MCE) from Red Hat. This flaw enables authenticated users with limited namespace-scoped privileges to retrieve administrative credentials for any clusters provisioned via the hub. The compromised endpoints, /v2/clusters/{cluster_id}/credentials and the kubeconfig download endpoint, operate in AUTH_TYPE=local, enabling attackers with a valid JSON Web Token (JWT) to gain unlimited administrative access. The system inadequately secures sensitive information, allowing users with basic access to view and exploit plaintext query parameters containing the valid JWT. Successful exploitation effectively grants attackers the kubeadmin password and kubeconfig for OpenShift clusters linked to the compromised hub, posing a severe risk of unauthorized root-level access.

References

https://access.redhat.com/security/cve/CVE-2026-7163

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2463152

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2026
Vulnerability Reserved
Apr 27, 2026

Credit

This issue was discovered by Nick Carboni (Red Hat), Omer Vishlitzky (Red Hat), and Riccardo Piccoli (Red Hat).

CVE-2026-7163 Data

JSON