Red Hat Cluster Observability Operator
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Cluster Observability Operator.
Recent Red Hat Cluster Observability Operator Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:26010 | (RHSA-2026:26010) Cluster Observability Operator 1.5.0 | June 15, 2026 |
| RHSA-2026:4782 | (RHSA-2026:4782) Cluster Observability Operator 1.4.0 | March 17, 2026 |
| RHSA-2025:21146 | (RHSA-2025:21146) Cluster Observability Operator 1.3.0 | November 12, 2025 |
| RHSA-2024:8040 | (RHSA-2024:8040) Moderate: Cluster Observability Operator 0.4.1 | October 14, 2024 |
By the Year
In 2026 there have been 3 vulnerabilities in Red Hat Cluster Observability Operator with an average score of 7.6 out of ten. Last year, in 2025 Cluster Observability Operator had 1 security vulnerability published. That is, 2 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 1.23
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 3 | 7.57 |
| 2025 | 1 | 8.80 |
It may take a day or so for new Cluster Observability Operator vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Cluster Observability Operator Security Vulnerabilities
follow-redirects: Auth Header Leak via Cross-Domain Redirects (1.15.x)
CVE-2026-40895
7.5 - High
- April 21, 2026
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.
Information Disclosure
Axios v1.15.0 Proxy Bypass via NO_PROXY Handling SSRF
CVE-2025-62718
7 - High
- April 09, 2026
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.
Confused Deputy
Prototype Pollution via _.unset/.omit in Lodash 4.17.22
CVE-2025-13465
8.2 - High
- January 21, 2026
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23
Prototype Pollution
Observability Operator Priv Esc via MonitorStack SA Impersonation
CVE-2025-2843
8.8 - High
- November 12, 2025
A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with *ClusterRole* upon deployment of the *Namespace-Scoped* Custom Resource MonitorStack. This issue allows an adversarial Kubernetes Account with only namespaced-level roles, for example, a tenant controlling a namespace, to create a MonitorStack in the authorized namespace and then elevate permission to the cluster level by impersonating the ServiceAccount created by the Operator, resulting in privilege escalation and other issues.
Incorrect Privilege Assignment
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Cluster Observability Operator or by Red Hat? Click the Watch button to subscribe.
