6.8
CVE-2026-10609
- EPSS 0.23%
- Veröffentlicht 23.06.2026 13:26:43
- Zuletzt bearbeitet 08.07.2026 15:10:22
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Openshift/cluster-logging-operator: cluster logging operator creates and forwards serviceaccount tokens without verifying clf creator authorization
A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials, allowing a delegated editor to exfiltrate SA tokens and escalate privileges.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Cluster Logging Operator Version-
Redhat ≫ Logging Subsystem For Red Hat Openshift Version-
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.23% | 0.132 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 6.8 | 2.3 | 4 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
https://bugzilla.redhat.com/show_bug.cgi?id=2483943
https://access.redhat.com/security/cve/CVE-2026-10609