Red Hat Multicluster Engine
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Multicluster Engine.
Recent Red Hat Multicluster Engine Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:13853 | (RHSA-2026:13853) multicluster engine for Kubernetes v2.11.0 General Availability | May 5, 2026 |
| RHSA-2026:13542 | (RHSA-2026:13542) Important: multicluster engine for Kubernetes v2.10.2 security update | May 4, 2026 |
| RHSA-2026:12337 | (RHSA-2026:12337) Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.11.1 | April 30, 2026 |
| RHSA-2026:11511 | (RHSA-2026:11511) Assisted Installer RHEL 8 components for Multicluster Engine for Kubernetes 2.7.10 | April 30, 2026 |
| RHSA-2026:12116 | (RHSA-2026:12116) Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.10.2 | April 30, 2026 |
| RHSA-2026:11858 | (RHSA-2026:11858) Important: multicluster engine for Kubernetes v2.7.10 security update | April 29, 2026 |
| RHSA-2026:11512 | (RHSA-2026:11512) Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.7.10 | April 29, 2026 |
| RHSA-2026:11414 | (RHSA-2026:11414) Important: multicluster engine for Kubernetes v2.9.3 security update | April 28, 2026 |
| RHSA-2026:9848 | (RHSA-2026:9848) Important: multicluster engine for Kubernetes v2.6.10 security update | April 22, 2026 |
| RHSA-2026:8218 | (RHSA-2026:8218) Important: multicluster engine for Kubernetes v2.8.5 security update | April 15, 2026 |
By the Year
In 2026 there have been 4 vulnerabilities in Red Hat Multicluster Engine with an average score of 6.9 out of ten. Last year, in 2025 Multicluster Engine had 2 security vulnerabilities published. That is, 2 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.40
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 4 | 6.90 |
| 2025 | 2 | 7.30 |
| 2024 | 2 | 6.35 |
It may take a day or so for new Multicluster Engine vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Multicluster Engine Security Vulnerabilities
MCE Assisted Service API exposes kubeadmin creds via GET endpoint
CVE-2026-7163
6.1 - Medium
- April 30, 2026
A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. The credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace. The affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected. This issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode. Successful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters.
Cleartext Storage of Sensitive Information
Privilege Escalation via GroupWritable /etc/passwd in MCE for K8s
CVE-2025-57851
6.4 - Medium
- April 08, 2026
A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
Incorrect Default Permissions
OCM CA cert renewal flaw enables crosscluster privilege escalation
CVE-2026-4740
8.2 - High
- April 07, 2026
A flaw was found in Open Cluster Management (OCM), the technology underlying Red Hat Advanced Cluster Management (ACM). Improper validation of Kubernetes client certificate renewal allows a managed cluster administrator to forge a client certificate that can be approved by the OCM controller. This enables cross-cluster privilege escalation and may allow an attacker to gain control over other managed clusters, including the hub cluster.
Improper Certificate Validation
Negative DataRow Length in pgproto3 Leading to DoS
CVE-2026-4427
- March 19, 2026
Operator SDK <0.15.2 RCE via insecure user_setup /etc/passwd
CVE-2025-7195
6.4 - Medium
- August 07, 2025
Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
Incorrect Default Permissions
Hive in MCE/ACM Exposes VCenter Credentials via ClusterProvision
CVE-2025-2241
8.2 - High
- March 17, 2025
A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation.
Insecure Storage of Sensitive Information
cert-manager: Denial of Service via Malicious PEM Data
CVE-2024-12401
4.4 - Medium
- December 12, 2024
A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.
Improper Input Validation
Authenticated Registry Access Path Traversal in containers/image
CVE-2024-3727
8.3 - High
- May 14, 2024
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
Improper Validation of Integrity Check Value
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Multicluster Engine or by Red Hat? Click the Watch button to subscribe.
