Home

Description

A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRole. When Kueue or cert-manager CRDs are present on the cluster, any authenticated user can disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or induce cert-manager to overwrite TLS Secrets including the default ingress controller certificate.

PUBLISHED Reserved 2026-06-04 | Published 2026-06-04 | Updated 2026-06-09 | Assigner redhat




HIGH: 7.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Problem types

Incorrect Permission Assignment for Critical Resource

Product status

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Timeline

2026-04-25:Reported to Red Hat.
2026-04-25:Made public.

Credits

Red Hat would like to thank Christopher Lusk (North Echo Security Research) for reporting this issue.

References

access.redhat.com/security/cve/CVE-2026-10840 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2484720 (RHBZ#2484720) issue-tracking

cve.org (CVE-2026-10840)

nvd.nist.gov (CVE-2026-10840)

Download JSON