OpenShift Cluster Logging Operator: SA Token Escalation via Missing Auth
CVE-2026-10609 Published on June 23, 2026

Openshift/cluster-logging-operator: cluster logging operator creates and forwards serviceaccount tokens without verifying clf creator authorization
A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials, allowing a delegated editor to exfiltrate SA tokens and escalate privileges.

NVD

Vulnerability Analysis

CVE-2026-10609 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Timeline

Reported to Red Hat.

Made public. 35 days later.

Weakness Type

What is an AuthZ Vulnerability?

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

CVE-2026-10609 has been classified to as an AuthZ vulnerability or weakness.


Products Associated with CVE-2026-10609

Want to know whenever a new CVE is published for Red Hat Logging? stack.watch will email you.

Red Hat Logging
 

Affected Versions

Logging Subsystem for Red Hat OpenShift: