Observability Operator Priv Esc via MonitorStack SA Impersonation
CVE-2025-2843 Published on November 12, 2025
Observability-operator: observability operator privilege escalation
A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with *ClusterRole* upon deployment of the *Namespace-Scoped* Custom Resource MonitorStack. This issue allows an adversarial Kubernetes Account with only namespaced-level roles, for example, a tenant controlling a namespace, to create a MonitorStack in the authorized namespace and then elevate permission to the cluster level by impersonating the ServiceAccount created by the Operator, resulting in privilege escalation and other issues.
Vulnerability Analysis
CVE-2025-2843 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Timeline
Reported to Red Hat.
Made public. 77 days later.
Weakness Type
Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Products Associated with CVE-2025-2843
Want to know whenever a new CVE is published for Red Hat Cluster Observability Operator? stack.watch will email you.
Affected Versions
rhobs observability-operator:- Before 1.3.0 is affected.
- Version sha256:84a281b3cd370cd42b89489c770f8b31d13e9aa570dc1b6cda6042bfba4824f8 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.