Red Hat Multicluster Engine

Privilege Escalation via GroupWritable /etc/passwd in MCE for K8s
CVE-2025-57851 6.4 - Medium - April 08, 2026

A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

Incorrect Default Permissions

OCM CA cert renewal flaw enables crosscluster privilege escalation
CVE-2026-4740 8.2 - High - April 07, 2026

A flaw was found in Open Cluster Management (OCM), the technology underlying Red Hat Advanced Cluster Management (ACM). Improper validation of Kubernetes client certificate renewal allows a managed cluster administrator to forge a client certificate that can be approved by the OCM controller. This enables cross-cluster privilege escalation and may allow an attacker to gain control over other managed clusters, including the hub cluster.

Improper Certificate Validation

Negative DataRow Length in pgproto3 Leading to DoS
CVE-2026-4427 - March 19, 2026

Operator SDK <0.15.2 RCE via insecure user_setup /etc/passwd
CVE-2025-7195 6.4 - Medium - August 07, 2025

Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

Incorrect Default Permissions

Hive in MCE/ACM Exposes VCenter Credentials via ClusterProvision
CVE-2025-2241 8.2 - High - March 17, 2025

A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation.

Insecure Storage of Sensitive Information

cert-manager: Denial of Service via Malicious PEM Data
CVE-2024-12401 4.4 - Medium - December 12, 2024

A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.

Improper Input Validation

Authenticated Registry Access Path Traversal in containers/image
CVE-2024-3727 8.3 - High - May 14, 2024

A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.

Improper Validation of Integrity Check Value