Description
A flaw was found in Red Hat Openshift AI Service. The TrustyAI component is granting all service accounts and users on a cluster permissions to get, list, watch any pod in any namespace on the cluster.

TrustyAI is creating a role `trustyai-service-operator-lmeval-user-role` and a CRB `trustyai-service-operator-default-lmeval-user-rolebinding` which is being applied to `system:authenticated` making it so that every single user or service account can get a list of pods running in any namespace on the cluster

Additionally users can access all `persistentvolumeclaims` and `lmevaljobs`
Published: 2025-10-28
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw was discovered in Red Hat OpenShift AI Service where the TrustyAI component incorrectly grants all authenticated users and service accounts cluster‑wide permissions to retrieve, list, and watch any pod, persistent volume claim and lmevaljob in any namespace. This unauthorized access violates the principle of least privilege and enables users to leak pod metadata and volume information that could be used for further attacks or to identify sensitive workloads.

Affected Systems

Red Hat OpenShift AI, including the 2.25 and 3.0 releases available on Red Hat Enterprise Linux 9. All versions mentioned in the CNA product list are affected.

Risk and Exploitability

The CVSS score is 5, indicating a moderate impact, while the EPSS score is below 1 % and the vulnerability is not currently listed in CISA KEV. The flaw requires only authenticated access; any cluster user or service account can exploit it by querying the Kubernetes API to enumerate pods, persistent volume claims and LMEval jobs across namespaces. Once credentials are available, the attack is straightforward and carries a low exploitation probability but potentially broad information disclosure.

Generated by OpenCVE AI on May 1, 2026 at 06:11 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Inspect the role "trustyai-service-operator-lmeval-user-role" and its role binding "trustyai-service-operator-default-lmeval-user-rolebinding" on the cluster and remove or restrict it so that it does not apply to the system:authenticated group.
  • Re‑apply the TrustyAI operator with updated RBAC definitions that grant only the necessary permissions to the specific service accounts that require pod, persistent volume claim and lmevaljob access, following the principle of least privilege.
  • Audit RBAC changes regularly and monitor for any new bindings that grant broad access to pods or persistent volume claims across namespaces.

Generated by OpenCVE AI on May 1, 2026 at 06:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_ai:2.25::el9
References

Wed, 12 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_ai:3.0::el9
References

Wed, 29 Oct 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 28 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Oct 2025 13:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Red Hat Openshift AI Service. The TrustyAI component is granting all service accounts and users on a cluster permissions to get, list, watch any pod in any namespace on the cluster. TrustyAI is creating a role `trustyai-service-operator-lmeval-user-role` and a CRB `trustyai-service-operator-default-lmeval-user-rolebinding` which is being applied to `system:authenticated` making it so that every single user or service account can get a list of pods running in any namespace on the cluster Additionally users can access all `persistentvolumeclaims` and `lmevaljobs`
Title Openshift-ai: trusty ai grants all authenticated users to list pods in any namespace
First Time appeared Redhat
Redhat openshift Ai
Weaknesses CWE-266
CPEs cpe:/a:redhat:openshift_ai
Vendors & Products Redhat
Redhat openshift Ai
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Redhat Openshift Ai
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-23T15:57:51.810Z

Reserved: 2025-10-23T02:55:38.369Z

Link: CVE-2025-12103

cve-icon Vulnrichment

Updated: 2025-10-28T13:44:24.516Z

cve-icon NVD

Status : Deferred

Published: 2025-10-28T14:15:55.847

Modified: 2026-04-23T18:16:22.583

Link: CVE-2025-12103

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-10-28T09:00:00Z

Links: CVE-2025-12103 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:15:10Z

Weaknesses