OpenShift: BuildEnv Injection via buildconfigs/instantiate
CVE-2026-7309 Published on April 28, 2026

Openshift-controller-manager: openshift container platform: information disclosure via environment variable injection
A flaw was found in the OpenShift Container Platform build system. A user with the `edit` ClusterRole can inject arbitrary environment variables, such as `LD_PRELOAD` or `http_proxy`, into `docker-build` containers through the `buildconfigs/instantiate` API. This incomplete fix for a previous vulnerability allows for information disclosure, specifically impacting the confidentiality of build traffic.

NVD

Vulnerability Analysis

CVE-2026-7309 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Timeline

Reported to Red Hat.

Made public. 56 days later.

Weakness Type

What is an Untrusted Path Vulnerability?

The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.

CVE-2026-7309 has been classified to as an Untrusted Path vulnerability or weakness.


Products Associated with CVE-2026-7309

Want to know whenever a new CVE is published for Red Hat Openshift? stack.watch will email you.

Red Hat Openshift
 

Affected Versions

Red Hat OpenShift Container Platform 4: