Red Hat Red Hat Linux OS and other open source products

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Red Hat product.

RSS Feeds for Red Hat security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Red Hat products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Red Hat Sorted by Most Security Vulnerabilities since 2018

Red Hat Enterprise Linux (RHEL)2536 vulnerabilities

Red Hat Enterprise Linux Server1534 vulnerabilities
RedHat Enterprise Linux (RHEL) Server. Includes software bundeled with RHEL server.

Red Hat Enterprise Linux Workstation1504 vulnerabilities
RedHat Enterprise Linux (RHEL) Workstation. Includes software bundled with RHEL Workstation.

Red Hat Enterprise Linux Desktop1493 vulnerabilities
RedHat Enterprise Linux (RHEL) Desktop. Includes software bundled with RHEL desktop

Red Hat Enterprise Linux Eus1062 vulnerabilities

Red Hat Openshift544 vulnerabilities

Red Hat Rhel Eus518 vulnerabilities

Red Hat Rhel E4s433 vulnerabilities

Red Hat Rhel Aus387 vulnerabilities

Red Hat Rhel Tus385 vulnerabilities

Red Hat Satellite355 vulnerabilities

Red Hat Rhel Eus Long Life302 vulnerabilities

Red Hat Openshift Ai299 vulnerabilities

Red Hat Rhel Els280 vulnerabilities

Red Hat Openstack274 vulnerabilities

Red Hat Hummingbird242 vulnerabilities

Red Hat Jboss Fuse203 vulnerabilities

Red Hat Rhivos199 vulnerabilities

Red Hat Jbosseapxp183 vulnerabilities

Red Hat Build Keycloak179 vulnerabilities

Red Hat Jboss Data Grid160 vulnerabilities

Red Hat Enterprise Linux Ai153 vulnerabilities

Red Hat Openshift Devspaces149 vulnerabilities

Red Hat Quay139 vulnerabilities

Red Hat Single Sign On130 vulnerabilities

Red Hat Software Collections123 vulnerabilities

Red Hat Keycloak123 vulnerabilities

Red Hat Rhdh123 vulnerabilities

Red Hat Cryostat119 vulnerabilities

Red Hat Virtualization115 vulnerabilities

Red Hat Acm112 vulnerabilities

Red Hat Discovery105 vulnerabilities

Red Hat Ai Inference Server103 vulnerabilities

Red Hat Single Sign On95 vulnerabilities

Red Hat Openshift Pipelines93 vulnerabilities

Red Hat Ceph Storage92 vulnerabilities

Red Hat Apache Camel Hawtio91 vulnerabilities

Red Hat Amq Streams84 vulnerabilities

Red Hat Service Mesh82 vulnerabilities

Red Hat Multicluster Engine81 vulnerabilities

Red Hat Camel Spring Boot80 vulnerabilities

Red Hat Logging80 vulnerabilities

Red Hat Amq Broker76 vulnerabilities

Red Hat Ansible Portal76 vulnerabilities

Red Hat Serverless74 vulnerabilities

Red Hat Openshift Lightspeed73 vulnerabilities

Red Hat Ansible Tower69 vulnerabilities

Red Hat Kafka66 vulnerabilities

Red Hat Openshift Gitops65 vulnerabilities

Red Hat Quarkus63 vulnerabilities

Red Hat Rhui62 vulnerabilities

Red Hat 3scale Amp61 vulnerabilities

Red Hat Podman Desktop58 vulnerabilities

Red Hat Apicurio Registry55 vulnerabilities

Red Hat Libvirt55 vulnerabilities

Red Hat Camel Quarkus54 vulnerabilities

Red Hat Service Registry54 vulnerabilities

Red Hat Rhmt53 vulnerabilities

Red Hat Virtualization Host53 vulnerabilities

Red Hat Network Observ Optr50 vulnerabilities

Red Hat Multicluster Globalhub50 vulnerabilities

Red Hat Satellite Capsule48 vulnerabilities

Red Hat Jboss Core Services44 vulnerabilities

Red Hat Ansible42 vulnerabilities

Red Hat Http Server42 vulnerabilities

Red Hat Directory Server41 vulnerabilities

Red Hat Enterprise Linux Aus41 vulnerabilities

Red Hat Gatekeeper40 vulnerabilities

Red Hat Undertow40 vulnerabilities
Java HTTP Server and Servlet Container

Recent Red Hat Security Advisories

Advisory Title Published
RHSA-2026:36957 (RHSA-2026:36957) Important: kernel security update July 9, 2026
RHSA-2026:36956 (RHSA-2026:36956) Important: kernel security update July 9, 2026
RHSA-2026:36879 (RHSA-2026:36879) Important: tomcat security, bug fix, and enhancement update July 8, 2026
RHSA-2026:36878 (RHSA-2026:36878) Important: tomcat security update July 8, 2026
RHSA-2026:36877 (RHSA-2026:36877) Important: tomcat security update July 8, 2026
RHSA-2026:36876 (RHSA-2026:36876) Important: tomcat security update July 8, 2026
RHSA-2026:36846 (RHSA-2026:36846) Important: httpd:2.4 security update July 8, 2026
RHSA-2026:36839 (RHSA-2026:36839) Important: Red Hat Build of Apache Camel 4.18 for Quarkus 3.33 update is now available (RHBQ 3.33.2.SP2) July 8, 2026
RHSA-2026:36832 (RHSA-2026:36832) Important: libreoffice security update July 8, 2026
RHSA-2026:36831 (RHSA-2026:36831) Important: httpd:2.4 security update July 8, 2026

By the Year

In 2026 there have been 2002 vulnerabilities in Red Hat with an average score of 7.3 out of ten. Last year, in 2025 Red Hat had 1157 security vulnerabilities published. That is, 845 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.69.




Year Vulnerabilities Average Score
2026 2002 7.27
2025 1157 6.58
2024 1687 6.57
2023 1206 6.75
2022 1362 6.97
2021 1123 6.61
2020 664 6.39
2019 772 6.98
2018 760 7.16

It may take a day or so for new Red Hat vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Red Hat Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-15154 Jul 08, 2026
ReDoS in guardrails-detectors (Red Hat OpenShift AI) A flaw was found in `guardrails-detectors`, a component of Red Hat OpenShift AI. This vulnerability, known as Regular Expression Denial of Service (ReDoS), allows a remote attacker to provide specially crafted regular expressions to the public detection API. This can cause catastrophic backtracking, leading to a worker process consuming 100% CPU indefinitely and resulting in a denial of service for the entire guardrails-mediated LLM pipeline.
Openshift Ai
CVE-2026-15063 Jul 08, 2026
Unauthorized Access via Unproxied Metrics in TrustYai Gorch Service A flaw was found in the gorch service template, which is part of the trustyai-service-operator. Even when authentication is enabled, the gorch service exposes unproxied orchestrator and detector metrics ports. This allows any pod on the cluster network to directly access these ports, bypassing the kube-rbac-proxy and its authentication mechanisms. This could lead to unauthorized access to the orchestrator and detector metrics.
Openshift Ai
CVE-2026-15044 Jul 08, 2026
CVE-2026-15044: TrustyAI Service Operator Allows Unauthorized Cluster Access A flaw was found in the TrustyAI Service Operator. When deploying services like gorch or NemoGuardrails, if a specific security setting is not enabled, these services can expose their communication channels without requiring users to prove their identity. This allows any other program within the cluster to access the AI guardrails and orchestrator without proper authorization. An attacker could exploit this to gain unauthorized access to sensitive information and potentially make limited changes to the AI models.
Openshift Ai
CVE-2026-15041 Jul 08, 2026
389 Directory Server PBKDF2SHA256 Timing Attack via NonConstant Memcmp A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp() for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash information, though practical exploitation is extremely difficult due to PBKDF2 computational overhead.
Directory Server
Enterprise Linux (RHEL)
CVE-2025-12799 Jul 07, 2026
CVE-2025-12799: XSS in Jastow (and Undertow) via unescaped URL chars A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting (XSS) attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling.
Jboss Enterprise Application Platform
Jbosseapxp
Red Hat Single Sign On
And others...
CVE-2026-14969 Jul 07, 2026
389-ds Base Static IV Attack (AES-CBC/3DES-CBC) A flaw was found in 389-ds-base where the LDBM backend attribute encryption uses a hardcoded static initialization vector for AES-CBC and 3DES-CBC operations, allowing an attacker with privileged filesystem access to detect plaintext equality across encrypted entries by comparing ciphertext blocks.
Directory Server
Enterprise Linux (RHEL)
CVE-2026-14935 Jul 07, 2026
GStreamer webrtcbin logic flaw bypasses SDP fingerprint check A logic vulnerability was found in GStreamer's webrtcbin component. The _check_sdp_crypto() function contains an inverted boolean condition that causes it to accept remote SDP offers or answers that lack the required a=fingerprint attribute, while incorrectly rejecting those that include it. An attacker with the ability to intercept and modify WebRTC signaling messages could exploit this to bypass the SDP-level DTLS certificate fingerprint binding, weakening defenses against man-in-the-middle attacks on media streams.
Enterprise Linux (RHEL)
CVE-2026-14940 Jul 07, 2026
Heap Buffer Overflow in 389Directory Server DN Normalization A heap-buffer-overflow flaw was found in 389 Directory Server (389-ds-base). When normalizing a Distinguished Name (DN) that contains a legacy-quoted value encoding a multivalued nested Relative Distinguished Name (RDN), the server can write past the end of a heap allocation while sorting RDN attribute-value pairs. An unauthenticated remote attacker can trigger this condition by sending an LDAP operation whose DN reaches the DN normalization routine, such as a search with a crafted base DN. This can corrupt heap memory and may cause denial of service.
Directory Server
Enterprise Linux (RHEL)
CVE-2026-11610 Jul 07, 2026
389-ds-base 1.3.2+ Heap Buffer Overflow via oversized LDAP UNBIND A heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). After a successful SASL bind with integrity protection (SSF > 0), an authenticated attacker can send a specially crafted oversized LDAP UNBIND packet that is copied into a 512-byte heap receive buffer without a bounds check in sasl_io_recv() in sasl_io.c. This allows up to approximately 2 megabytes of attacker-controlled data to overflow the buffer, causing a denial of service (server crash). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, any enrolled host, or any service account can trigger this vulnerability over the network after authenticating via GSSAPI. The vulnerable code path has existed since approximately 2013 (389-ds-base 1.3.2) and was not addressed by the CVE-2025-14905 fix, which patched a separate heap overflow in schema.c only.
Directory Server
Enterprise Linux (RHEL)
Directory Server E4s
And others...
CVE-2026-14476 Jul 07, 2026
SSSD AD GPO Path Traversal Enables Root Write & Auth Bypass A path traversal flaw was found in SSSD's AD GPO provider. The ad_gpo_extract_smb_components() function does not sanitize .. sequences in the gPCFileSysPath LDAP attribute, allowing an attacker with AD GPO management access to write files outside the GPO cache directory as root. On default RHEL configurations with SELinux enforcing, this can be used to inject Kerberos configuration leading to authentication bypass.
Enterprise Linux (RHEL)
Openshift
CVE-2026-14474 Jul 07, 2026
SSSD LDAP Sudo Escalation: Unconfigured Search Base Allowing Root Privileges A flaw was found in SSSD's LDAP sudo provider. When the ldap_sudo_search_base option is not explicitly configured, SSSD searches the entire LDAP directory tree for sudoRole objects. An authenticated attacker with write access to any subtree can inject a sudoRole object granting root-level sudo privileges on all SSSD-enrolled hosts.
Enterprise Linux (RHEL)
Openshift
CVE-2026-58384 Jul 07, 2026
Integer Overflow in GIMP PSD Parser read_RLE_channel A flaw was found in GIMP's PSD parser. An integer overflow in read_RLE_channel() can cause an undersized heap allocation for the RLE row-length table, after which subsequent per-row writes corrupt heap memory. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.
Enterprise Linux (RHEL)
CVE-2026-59089 Jul 06, 2026
GIMP TIM Loader int Overflow in CLUT multiplier causing DoS A flaw was found in GIMP. The PlayStation TIM loader, responsible for handling PlayStation image files, incorrectly calculates the size of the Color Look-Up Table (CLUT) due to an integer overflow. This occurs when multiplying num_colors and num_cluts, both 16-bit unsigned short integers, resulting in a value exceeding the maximum integer limit. An attacker could exploit this by providing a specially crafted image file, leading to undefined behavior and causing the GIMP plug-in to abort, effectively resulting in a denial of service.
Enterprise Linux (RHEL)
CVE-2026-58380 Jul 06, 2026
GIMP PNM Parser Off-By-One Buffer Overrun A flaw was found in GIMP's PNM file format parser. When parsing a specially crafted PNM file, the pnmscanner_gettoken() function writes a null terminator one byte past the end of a stack-allocated buffer due to an off-by-one error in the loop boundary check. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.
Enterprise Linux (RHEL)
CVE-2026-9165 Jul 06, 2026
RHACS GraphQL API Depth Bypass Leading to DoS A flaw was found in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central, resulting in a denial of service for the management plane.
Advanced Cluster Security
CVE-2026-14781 Jul 05, 2026
Keycloak OIDC Broker Email-Verified Claim Bypass A flaw exists in the org.keycloak.broker.oidc package where the OIDC broker incorrectly synchronizes the email_verified claim. When an OIDC identity provider is configured with trustEmail=true and the userinfo endpoint is enabled, Keycloak retrieves the email address from the userinfo response but retrieves the email_verified status exclusively from the id_token. The root cause is a lack of validation ensuring that the email_verified claim in the id_token actually refers to the email address returned by the userinfo endpoint. If these two sources return different email addresses, the id_token's email_verified=true claim is blindly applied to the userinfo email. Exploitation Conditions: The OIDC identity provider must have trustEmail set to true (non-default). The userinfo endpoint must be enabled (default). The attacker must control or have compromised the upstream OIDC provider. Concrete Impact: Mark arbitrary email addresses as verified in the Keycloak database. Bypass email-based security controls or verification workflows. Potential account takeover if the application relies solely on the email_verified flag from the IdP to link accounts.
Build Keycloak
Jboss Data Grid
Jbosseapxp
And others...
CVE-2026-53359 Jul 04, 2026
Linux KVM x86 Shadow Paging UAF via Role Mismatch In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix shadow paging use-after-free due to unexpected role Commit 0cb2af2ea66ad ("KVM: x86: Fix shadow paging use-after-free due to unexpected GFN") fixed a shadow paging mismatch between stored and computed GFNs; the bug could be triggered by changing a PDE mapping from outside the guest, and then deleting a memslot. The rmap_remove() call would miss entries created after the PDE change because the GFN of the leaf SPTE does not match the GFN of the struct kvm_mmu_page. A similar hole however remains if the modified PDE points to a non-leaf page. In this case the gfn can be made to match, but the role does not match: the original large 2MB page creates a kvm_mmu_page with direct=1, while the new 4KB needs a kvm_mmu_page with direct=0. However, kvm_mmu_get_child_sp() does not compare the role, and therefore reuses the page. The next step is installing a leaf (4KB) SPTE on the new path which records an rmap entry under the gfn resolved by the walk. But when that child is zapped its parent kvm_mmu_page has direct=1 and kvm_mmu_page_get_gfn() computes the gfn for the 4KB page as sp->gfn + index instead of using sp->shadowed_translation[] (or sp->gfns[] in older kernels). It therefore fails to remove the recorded entry. When the memslot is dropped the shadow page is freed but the rmap entry survives, as in the scenario that was already fixed. Code that later walks that gfn (dirty logging, MMU notifier invalidation, and so on) dereferences an sptep that lies in the freed page, causing the use-after-free.
CVE-2026-14355 Jul 03, 2026
PHP 8.2-8.5 OpenSSL AES-WRAP-PAD Buffer Overwrite (pre 8.4.23) In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort.
CVE-2026-58379 Jul 03, 2026
GIMP PSP Parser Heap Overflow Arbitrary Code Execution A flaw was found in GIMP's Paint Shop Pro (PSP) file format parser. This heap buffer overflow vulnerability allows a remote attacker to cause arbitrary code execution or a denial of service (DoS) by tricking a user into opening a specially crafted PSP image file. The vulnerability occurs because the software incorrectly calculates buffer sizes when processing low bit-depth images, leading to an overwrite of adjacent memory.
Enterprise Linux (RHEL)
CVE-2026-14615 Jul 03, 2026
Admin Permission Leak in Keycloak FGAP v2 A flaw was found in the Fine-Grained Admin Permissions (FGAP) v2 implementation within Keycloak's administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller's specific permissions when requested through a parent group. This allows a delegated administrator to view details of child groups they are not authorized to access directly, including group names, paths, and custom attributes.
Build Keycloak
CVE-2026-14614 Jul 03, 2026
Keycloak ClientResource Permission Bypass via FGAP v2 A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach or remove hidden client scopes that they are not authorized to see or manage. As a result, an attacker could inject unauthorized data or permissions into the security tokens issued to end-users, potentially tricking other applications into granting higher levels of access than intended.
Build Keycloak
Jboss Data Grid
Jbosseapxp
And others...
CVE-2026-14613 Jul 03, 2026
Keycloak FGAP v2: Admin RLS Bypass Exposes Hidden Groups A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions (FGAP v2) are turned on, an administrator who is allowed to see a specific "role" can also see a list of all groups assigned to that role. The system fails to check if the administrator has permission to see those specific groups. This could allow a restricted administrator to discover "hidden" groups and see their details, such as internal names and custom settings, which might contain sensitive deployment information.
Build Keycloak
Jboss Data Grid
Jbosseapxp
And others...
CVE-2026-14612 Jul 03, 2026
Off-by-One in FreeIPA ipa-otpd OAuth2 Handler OOB Memory Access Two off-by-one errors in the FreeIPA ipa-otpd daemon's OAuth2 device authorization handler can cause out-of-bounds memory access when processing an oversized response from a configured external OAuth2/OIDC Identity Provider. An attacker who controls or can man-in-the-middle the IdP endpoint may be able to trigger ipa-otpd to write or read one byte past the end of a fixed-size buffer. Exploitation requires FreeIPA to be configured with an external IdP, attacker control or MITM of that IdP, and a user to initiate the OAuth2 device authorization flow. The most likely impact is limited denial of service affecting the ipa-otpd daemon.
Enterprise Linux (RHEL)
CVE-2026-14544 Jul 03, 2026
Integer Overflow in HP HPLIP hpcups Remote Priv Escalation A flaw was found in HPLIP (HP Linux Imaging and Printing Software). This vulnerability, an incomplete fix for CVE-2026-8631, may allow a remote attacker to escalate privileges or achieve arbitrary code execution. This can occur through an integer overflow in the hpcups processing path when handling specially crafted print data.
Enterprise Linux (RHEL)
CVE-2026-58381 Jul 02, 2026
GIMP PSP File Parser Double-Free Vulnerability A flaw was found in GIMP's PSP file format parser. A double-free condition occurs in the read_layer_block() function when processing a specially crafted PSP file. This could allow an attacker to cause memory corruption, potentially leading to denial of service or arbitrary code execution.
Enterprise Linux (RHEL)
CVE-2026-38969 Jul 02, 2026
WEBrick 1.9.2 Request Smuggling via Content-Length Reparse ruby webrick through v1.9.2 WEBrick reparses trailer Content-Length into canonical request state, enabling request smuggling.
CVE-2026-47262 Jul 01, 2026
containerd DoS via faulty image load causing OOM kill (v<1.7.33,2.0.10,2.1.9) containerd is an open-source container runtime. Versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2, contain a vulnerability that allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the container runtime API unavailable and can disrupt clients such as the Docker Engine or Kubernetes control-plane components. This issue has been fixed in versions 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2.
CVE-2026-46680 Jul 01, 2026
containerd RunAsNonRoot Bypass via Large UID (v1.7.32/2.0.9/2.2.4/2.3.1) containerd is an open-source container runtime. In versions prior to 1.7.32, 2.0.9, 2.2.4 and 2.3.1, containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username, leading to runAsNonRoot evasion. If a crafted image provides an /etc/passwd file mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the Kubernetes runAsNonRoot restriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user. This issue has been fixed in versions 1.7.32, 2.0.9, 2.2.4 and 2.3.1.
CVE-2026-14330 Jul 01, 2026
PulseAudio Unbounded alloca() Calls in Protocol Server Multiple unbounded alloca() calls in the PulseAudio protocol server.
Enterprise Linux (RHEL)
CVE-2026-14324 Jul 01, 2026
RAOP Module Accepts Unbounded ContentLength Values (CVE202614324) RAOP module accepts unbounded Content-Length values and does not check the pw_array_add() return.
Enterprise Linux (RHEL)
CVE-2026-5138 Jul 01, 2026
Auth Bypass in Foreman's Taxonomy Controller Exposing CrossTenant Data A flaw was found in Foreman. An authenticated user with host-edit permissions could exploit a cross-tenant information disclosure vulnerability. This flaw occurs because the taxonomy_scope controller method does not properly validate organization and location IDs from nested request parameters, bypassing existing authorization checks. This allows the user to leak sensitive infrastructure metadata, including subnet topology, IP ranges, gateways, DNS servers, and VLAN IDs, from organizations and locations they are not authorized to access.
Satellite
Satellite Capsule
Satellite Maintenance
And others...
CVE-2026-5135 Jul 01, 2026
Foreman Host Retarget Bypass via Broken Access Control A flaw was found in Foreman. This broken access control vulnerability allows an authenticated user with host-edit permissions to retarget an existing lookup value override to a different host. This is achieved by modifying the match field through nested host attributes, effectively bypassing authorisation checks. The consequence is the potential for unauthorised modification of managed host configurations across different organisational and location boundaries.
Satellite
Satellite Capsule
Satellite Maintenance
And others...
CVE-2026-5142 Jul 01, 2026
Foreman SSH Key Leak via View_Keypairs Permission A flaw was found in foreman. Authenticated users with 'view_keypairs' permission can bypass taxonomy scoping, allowing them to download private SSH (Secure Shell) keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant deployments, potentially compromising sensitive information.
Satellite
Satellite Capsule
Satellite Maintenance
And others...
CVE-2026-23537 Jul 01, 2026
Unauthenticated FS Write via /save-document in Feast Feature Server A vulnerability has been identified in the Feast Feature Servers `/save-document` endpoint that allows an unauthenticated remote attacker to write arbitrary JSON files to the server's filesystem. Although the system attempts to restrict file locations, these protections can be bypassed, enabling an attacker to overwrite vital application configurations or startup scripts. Because this flaw requires no credentials or special privileges, any attacker with network access to the server can potentially compromise the integrity of the system. This could lead to unauthorized system modifications, denial of service through disk exhaustion, or potential remote code execution.
Openshift Ai
CVE-2026-5136 Jul 01, 2026
Foreman Usergroup Role Escalation via Improper Permission Validation A flaw was found in Foreman. The Usergroup model in Foreman does not properly validate role assignments against the calling user's permissions. This allows an authenticated user with usergroup management permissions to attach arbitrary roles, including administrative roles, to a user group and then add themselves as a member. Successful exploitation of this vulnerability leads to full privilege escalation, granting the attacker administrator-level access.
Satellite
Satellite Capsule
Satellite Maintenance
And others...
CVE-2026-14258 Jul 01, 2026
dhcpcd ND Router Advertisement Zero-Length Option DoS A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass validation during packet storage and later be reparsed without adequate validation, causing the parser to enter a non-advancing loop. Successful exploitation may result in excessive CPU consumption, leading to a denial of service.
Enterprise Linux (RHEL)
CVE-2026-53488 Jul 01, 2026
CRI Label Injection in containerd 1.7.x/2.0-2.3 (1.7.33/2.3.2) containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10.
CVE-2026-58016 Jun 30, 2026
GLib g_dbus_node_info_new_for_xml uint overflow OOB read DoS A flaw was found in GLib. A state confusion issue exists in g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when processing malformed D-Bus introspection XML, specifically with a <node> element nested within other elements like <method>, <signal>, <property> or <arg>. This issue can cause an unsigned integer overflow and lead to an out-of-bounds read, resulting in a denial of service.
Enterprise Linux (RHEL)
Hummingbird
CVE-2026-58015 Jun 30, 2026
GLib D-Bus DBUS_COOKIE_SHA1 Auth: CookieCtx Path Traversal CVE-2026-58015 A flaw was found in GLib. The D-Bus client-side implementation of the DBUS_COOKIE_SHA1 SASL authentication mechanism does not validate the cookie_context parameter received from the server. A malicious D-Bus server can supply a cookie_context containing path traversal sequences, causing the client to read an arbitrary file and exfiltrate sensitive data by verifying guessed file contents against a generated hash.
Enterprise Linux (RHEL)
Hummingbird
CVE-2026-58014 Jun 30, 2026
GLib g_key_file Off-By-One Array Index Bug Causing OOB Access A flaw was found in GLib. An off-by-one error can occur in the g_key_file_get_locale_string_list function in the gkeyfile.c file when loading a key file with an empty value. This flaw can cause an out-of-bounds access of 1 byte or a denial of service when the out-of-bounds access crosses a page boundary.
Enterprise Linux (RHEL)
Hummingbird
CVE-2026-58013 Jun 30, 2026
GLib Buffer Over-Read in giochannel.c Minor Info Disclosure & DoS A flaw was found in GLib. A buffer over-read can occur in g_io_channel_read_line_backend() in the giochannel.c file when a custom line terminator with a length greater than one is set, causing memcmp to read past the GString buffer. This vulnerability can cause a minor information disclosure of 7 bytes or a denial of service when the buffer over-read crosses a page boundary.
Enterprise Linux (RHEL)
Hummingbird
CVE-2026-58012 Jun 30, 2026
GLib g_regex_replace over-read via G_REGEX_RAW causing info leak & DoS A flaw was found in GLib. A buffer over-read can occur in the g_regex_replace function when used with the `G_REGEX_RAW` compile flag and case-change replacement escapes because the string_append function processes matched substrings using UTF-8 functions that assume valid UTF-8 input, even when the string is treated as raw bytes. This vulnerability can cause a minor information disclosure of 1-5 bytes and a denial of service when the buffer over-read crosses a page boundary.
Enterprise Linux (RHEL)
Hummingbird
CVE-2026-58010 Jun 30, 2026
GLib Off-by-One in gvs_tuple_is_normal leads to 1byte OOB Read A flaw was found in GLib. An off-by-one error can occur in the gvs_tuple_is_normal function in the glib/gvariant-serialiser.c file when doing an alignment padding check because the bounds check uses > instead of >=, causing an out-of-bounds read of only 1 byte. This issue can cause a minor information disclosure of 1 byte and a denial of service when the out-of-bounds read crosses a page boundary.
Enterprise Linux (RHEL)
Hummingbird
CVE-2026-58011 Jun 30, 2026
Out-of-bounds read in GLib g_date_time_get_ymd A flaw was found in GLib. An out-of-bounds read of only 2 bytes can occur in the g_date_time_get_ymd function in the glib/gdatetime.c file when an invalid GDateTime object produced by the g_date_time_add_full function is processed. This flaw can corrupt the date output and potentially cause logic errors that may lead to a denial of service.
Enterprise Linux (RHEL)
Hummingbird
CVE-2026-12388 Jun 30, 2026
Privilege Escalation in Keycloak via Hardcoded Role Mapper A flaw was found in the Identity Provider (IdP) mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a "Hardcoded Role" mapper that assigns high-level administrative roles (like realm-admin) to themselves or others. This allows a restricted administrator to bypass security checks and gain full control over the entire realm.
Build Keycloak
CVE-2026-4629 Jun 30, 2026
Keycloak Privilege Escalation via Role Mapper Injection A flaw was found in Keycloak. A highly privileged user with `manage-clients` permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the `realm-admin` role into generated tokens, resulting in privilege escalation and full administrative access to the realm.
Build Keycloak
CVE-2026-14209 Jun 30, 2026
Keycloak Admin UI: FGAP bypass via brute-force-user endpoint A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an administrator who should only be able to search for users (but not view their full details) can use a specific "brute-force-user" endpoint to access a user's full profile. This includes sensitive information and security metadata. The issue occurs because the system fails to check if the administrator has the required "view" permission for that specific user when using this particular search path.
Build Keycloak
Jbosseapxp
CVE-2026-13316 Jun 30, 2026
Foreman SSRF via http_proxies_controller to Cloud Metadata A flaw has been found in foreman when HTTP parameters are modified in http_proxies_controller and http_proxy files. Attackers can perform an SSRF attack and steal cloud metadata service on AWS/GCP/Azure environment through foreman component.
Satellite
CVE-2026-13149 Jun 30, 2026
brace-expansion npm <=5.0.6 DoS via exponential brace groups brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CPU consumption and event-loop blocking. The max option does not mitigate this, as it bounds the output size rather than the recursion work.
CVE-2026-12610 Jun 30, 2026
SSSD PAM Responder UAF Crash via YubiKey Manipulation DOS & Possible Priv Esc A flaw was found in sssd. When authenticating with a YubiKey, the SSSD PAM responder can crash due to a use-after-free vulnerability, where a memory pointer is incorrectly handled. A local attacker could exploit this flaw by manipulating smartcard or YubiKey contents, leading to a denial of service that disrupts authentication. This vulnerability also presents a potential for privilege escalation, although it is difficult to exploit.
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others...
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.