8.3
CVE-2026-54100
- EPSS 0.18%
- Veröffentlicht 22.06.2026 12:46:09
- Zuletzt bearbeitet 08.07.2026 15:10:50
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Windows-machine-config-operator: windows-machine-config-operator: ssh host key not verified enables credential theft
A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. WMCO establishes SSH connections to Windows worker nodes without verifying the remote server host key. An adjacent-network attacker who can intercept or redirect WMCO's SSH session can capture WICD and kubelet bootstrap credentials transferred during node configuration, enabling compromise of Windows node identities in the cluster.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Openshift Container Platform Version >= 4.0 <= 4.22.1
Redhat ≫ Windows Machine Config Operator Version-
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.18% | 0.079 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 8.3 | 1.6 | 6 |
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 8.3 | 1.6 | 6 |
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
|
CWE-295 Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.
https://bugzilla.redhat.com/show_bug.cgi?id=2487953
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-54100.json
https://access.redhat.com/security/cve/CVE-2026-54100