Red Hat Acm

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Red Hat Acm.

By the Year

In 2026 there have been 1 vulnerability in Red Hat Acm with an average score of 5.3 out of ten. Last year, in 2025 Acm had 8 security vulnerabilities published. Right now, Acm is on track to have less security vulnerabilities in 2026 than it did last year. Last year, the average CVE base score was greater by 1.28

Year	Vulnerabilities	Average Score
2026	1	5.30
2025	8	6.58
2024	5	7.08

It may take a day or so for new Acm vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Red Hat Acm Security Vulnerabilities

Information Disclosure in Go Viper Mapstructure WeakDecode via Error Messages
CVE-2025-11065 5.3 - Medium - January 26, 2026

A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.

Generation of Error Message Containing Sensitive Information

Nodemailer DoS via crafted email header triggers infinite recursion
CVE-2025-14874 7.5 - High - December 18, 2025

A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.

Improper Check or Handling of Exceptional Conditions

Email Parser Vulnerability: Quoted External Address Escapes Recipient
CVE-2025-13033 7.5 - High - November 14, 2025

A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.

Improper Validation of Syntactic Correctness of Input

Nx npm package tampering: FS scan and credential exfil to GitHub
CVE-2025-10894 9.6 - Critical - September 24, 2025

Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.

Embedded Malicious Code

Operator SDK <0.15.2 RCE via insecure user_setup /etc/passwd
CVE-2025-7195 5.2 - Medium - August 07, 2025

Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

Incorrect Default Permissions

CIRCL FourQ RCE via Low-Order Point Injection in Diffie-Hellman
CVE-2025-8556 3.7 - Low - August 06, 2025

A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.

Improper Verification of Cryptographic Signature

Red Hat RHACM v2.10-2.12 UI Credential Leakage (CVE-2025-6017)
CVE-2025-6017 5.5 - Medium - July 02, 2025

A flaw was found in Red Hat Advanced Cluster Management through versions 2.10, before 2.10.7, 2.11, before 2.11.4, and 2.12, before 2.12.4. This vulnerability allows an unprivileged user to view confidential managed cluster credentials through the UI. This information should only be accessible to authorized users and may result in the loss of confidentiality of administrative information, which could be leaked to unauthorized actors.

Privacy violation

Hive in MCE/ACM Exposes VCenter Credentials via ClusterProvision
CVE-2025-2241 8.2 - High - March 17, 2025

A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation.

Insecure Storage of Sensitive Information

serialize-javascript XSS via unsanitized regex input
CVE-2024-11831 5.4 - Medium - February 10, 2025

A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.

XSS

Open Cluster Management (OCM) Service Account Token Theft Vulnerability
CVE-2024-9779 7.5 - High - December 17, 2024

A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token by creating and mounting the target service account to control the whole cluster.

Trust Boundary Violation

Privileged Container Exec via RBAC in Submariner (CVE-2024-5042)
CVE-2024-5042 6.6 - Medium - May 17, 2024

A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster.

Execution with Unnecessary Privileges

Authenticated Registry Access Path Traversal in containers/image
CVE-2024-3727 8.3 - High - May 14, 2024

A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.

Improper Validation of Integrity Check Value

CVE-2024-1139: Credentials Leak in OCP Cluster Monitor Op
CVE-2024-1139 7.7 - High - April 25, 2024

A credentials leak vulnerability was found in the cluster monitoring operator in OCP. This issue may allow a remote attacker who has basic login credentials to check the pod manifest to discover a repository pull secret.

Information Disclosure

CoreDNS invalid cache entries due to flawed caching mechanism
CVE-2024-0874 5.3 - Medium - April 25, 2024

A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching.

Use of Cache Containing Sensitive Information

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Red Hat Acm or by Red Hat? Click the Watch button to subscribe.

Red Hat
Vendor

Red Hat Acm
Product

Red Hat Acm

Don't miss out!

By the Year

Recent Red Hat Acm Security Vulnerabilities

Information Disclosure in Go Viper Mapstructure WeakDecode via Error Messages CVE-2025-11065 5.3 - Medium - January 26, 2026

Nodemailer DoS via crafted email header triggers infinite recursion CVE-2025-14874 7.5 - High - December 18, 2025

Email Parser Vulnerability: Quoted External Address Escapes Recipient CVE-2025-13033 7.5 - High - November 14, 2025

Nx npm package tampering: FS scan and credential exfil to GitHub CVE-2025-10894 9.6 - Critical - September 24, 2025

Operator SDK <0.15.2 RCE via insecure user_setup /etc/passwd CVE-2025-7195 5.2 - Medium - August 07, 2025

CIRCL FourQ RCE via Low-Order Point Injection in Diffie-Hellman CVE-2025-8556 3.7 - Low - August 06, 2025

Red Hat RHACM v2.10-2.12 UI Credential Leakage (CVE-2025-6017) CVE-2025-6017 5.5 - Medium - July 02, 2025

Hive in MCE/ACM Exposes VCenter Credentials via ClusterProvision CVE-2025-2241 8.2 - High - March 17, 2025

serialize-javascript XSS via unsanitized regex input CVE-2024-11831 5.4 - Medium - February 10, 2025

Open Cluster Management (OCM) Service Account Token Theft Vulnerability CVE-2024-9779 7.5 - High - December 17, 2024

Privileged Container Exec via RBAC in Submariner (CVE-2024-5042) CVE-2024-5042 6.6 - Medium - May 17, 2024

Authenticated Registry Access Path Traversal in containers/image CVE-2024-3727 8.3 - High - May 14, 2024

CVE-2024-1139: Credentials Leak in OCP Cluster Monitor Op CVE-2024-1139 7.7 - High - April 25, 2024

CoreDNS invalid cache entries due to flawed caching mechanism CVE-2024-0874 5.3 - Medium - April 25, 2024