Cluster Admin Escalation via WMCO CSR Auto-Approval
CVE-2026-54099 Published on June 22, 2026

Windows-machine-config-operator: windows-machine-config-operator: wicd csr extra-organization allows privilege escalation to system:masters
A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. The WICD CSR auto-approver validates that a Certificate Signing Request contains the organization system:wicd-nodes but does not reject additional organization values such as system:masters. A compromised Windows worker node that holds WICD credentials can submit a CSR that is auto-approved and signed by the cluster, yielding a client certificate that grants cluster-administrator privileges and enabling full cluster takeover.

NVD

Vulnerability Analysis

CVE-2026-54099 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Timeline

Reported to Red Hat.

Made public.

Weakness Type

Improper Privilege Management

The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.


Products Associated with CVE-2026-54099

stack.watch emails you whenever new vulnerabilities are published in Red Hat Openshift or Red Hat Windows Machine Config. Just hit a watch button to start following.

Red Hat Openshift
 
Red Hat Windows Machine Config
 

Affected Versions

Red Hat OpenShift Container Platform 4: Red Hat OpenShift Container Platform 4: Red Hat OpenShift for Windows Containers: