Red Hat Multicluster Engine
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Multicluster Engine.
Recent Red Hat Multicluster Engine Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:2571 | (RHSA-2026:2571) Important: multicluster engine for Kubernetes v2.9.2 security update | February 11, 2026 |
| RHSA-2026:1071 | (RHSA-2026:1071) Moderate: multicluster engine for Kubernetes v2.10.1 security update | January 25, 2026 |
| RHSA-2026:1067 | (RHSA-2026:1067) Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.10.1 | January 23, 2026 |
| RHSA-2026:0722 | (RHSA-2026:0722) Important: multicluster engine for Kubernetes v2.8.4 security update | January 15, 2026 |
| RHSA-2026:0671 | (RHSA-2026:0671) Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.8.4 | January 15, 2026 |
| RHSA-2025:23528 | (RHSA-2025:23528) Important: multicluster engine for Kubernetes 2.6 security update | December 17, 2025 |
| RHSA-2025:22683 | (RHSA-2025:22683) Moderate: multicluster engine for Kubernetes v2.7.7 security update | December 3, 2025 |
| RHSA-2025:19958 | (RHSA-2025:19958) Moderate: multicluster engine for Kubernetes v2.7.7 security update | November 10, 2025 |
| RHSA-2025:19381 | (RHSA-2025:19381) Assisted Installer RHEL 8 components for Multicluster Engine for Kubernetes 2.9.1 | October 30, 2025 |
| RHSA-2025:19380 | (RHSA-2025:19380) Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.9.1 | October 30, 2025 |
By the Year
In 2026 there have been 1 vulnerability in Red Hat Multicluster Engine with an average score of 7.5 out of ten. Last year, in 2025 Multicluster Engine had 2 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Multicluster Engine in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.20.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 7.50 |
| 2025 | 2 | 7.30 |
| 2024 | 2 | 6.35 |
It may take a day or so for new Multicluster Engine vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Multicluster Engine Security Vulnerabilities
Negative DataRow Length in pgproto3 Leading to DoS
CVE-2026-4427
7.5 - High
- March 19, 2026
A flaw was found in pgproto3. A malicious or compromised PostgreSQL server can exploit this by sending a DataRow message with a negative field length. This input validation vulnerability can lead to a denial of service (DoS) due to a slice bounds out of range panic.
out-of-bounds array index
Operator SDK <0.15.2 RCE via insecure user_setup /etc/passwd
CVE-2025-7195
6.4 - Medium
- August 07, 2025
Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
Incorrect Default Permissions
Hive in MCE/ACM Exposes VCenter Credentials via ClusterProvision
CVE-2025-2241
8.2 - High
- March 17, 2025
A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation.
Insecure Storage of Sensitive Information
cert-manager: Denial of Service via Malicious PEM Data
CVE-2024-12401
4.4 - Medium
- December 12, 2024
A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.
Improper Input Validation
Authenticated Registry Access Path Traversal in containers/image
CVE-2024-3727
8.3 - High
- May 14, 2024
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
Improper Validation of Integrity Check Value
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Multicluster Engine or by Red Hat? Click the Watch button to subscribe.
