CVE-2025-12103: OpenShift AI TrustyAI Arbitrary Pod & PV Access
CVE-2025-12103 Published on October 28, 2025
Openshift-ai: trusty ai grants all authenticated users to list pods in any namespace
A flaw was found in Red Hat Openshift AI Service. The TrustyAI component is granting all service accounts and users on a cluster permissions to get, list, watch any pod in any namespace on the cluster.
TrustyAI is creating a role `trustyai-service-operator-lmeval-user-role` and a CRB `trustyai-service-operator-default-lmeval-user-rolebinding` which is being applied to `system:authenticated` making it so that every single user or service account can get a list of pods running in any namespace on the cluster
Additionally users can access all `persistentvolumeclaims` and `lmevaljobs`
Vulnerability Analysis
CVE-2025-12103 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Timeline
Reported to Red Hat.
Made public. 5 days later.
Weakness Type
Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Products Associated with CVE-2025-12103
Want to know whenever a new CVE is published for Red Hat Openshift Ai? stack.watch will email you.
Affected Versions
Red Hat OpenShift AI 3.0:- Version sha256:43322a7cecd6fe3309faa160bf92d88518c23b98c6467e5e868a9dbdd3f16b36 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.