Description
ACM/MCE assisted-service writes raw referenced pull-secret contents into `InfraEnv.status.conditions[].message` when pull-secret validation fails. A namespace principal with the stock `view` ClusterRole cannot directly read Secrets, but can read `InfraEnv` objects and recover the referenced Secret's `.dockerconfigjson` data from status.

This bypasses the Kubernetes/OpenShift RBAC separation between read-only namespace viewers and Secret readers. In the reproduced proof, the same ServiceAccount was denied `get` and `list` on Secrets, but recovered synthetic pull-secret `username`, `password`, `email`, and base64 `auth` fields through `InfraEnv.status`.
Published: 2026-05-29
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when ACM/MCE's assisted-service writes the raw referenced pull-secret contents into the status field of an InfraEnv object after a pull-secret validation failure. This leakage discloses the pull-secret's .dockerconfigjson data, including username, password, email, and auth fields, to any namespace principal with the standard view ClusterRole. The underlying weakness is an unintended information disclosure (CWE‑201).

Affected Systems

Affected product is Red Hat Multi‑Cluster Engine for Kubernetes. The CVE references only the product; no specific version information is listed in the CNA entry. Red Hat maintainers have acknowledged the issue in their advisory for the affected cluster distribution. All deployments using the default assisted-service component are potentially impacted until the vendor releases a fix.

Risk and Exploitability

The CVSS base score is 6.3, indicating a medium severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the view role: a user cannot read Secrets directly but can read an InfraEnv object; the status message reveals the pull-secret fields. Attackers who can assign or are granted the view role, or who have compromised an account with that role, can obtain credentials for registry access. Because the vulnerability does not require privileged access, it poses a moderate but non‑negligible risk for installations where view users are broadly delegated.

Generated by OpenCVE AI on May 29, 2026 at 17:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released patch from Red Hat for the Multi‑Cluster Engine in your environment as soon as possible.
  • Remove or restrict the ability of namespace view users to read InfraEnv objects (e.g., revoke the infraenv.read permission or adjust role bindings so that only cluster administrators can view InfraEnv status).
  • Review RBAC configurations to ensure that view roles do not inherit privileges to read InfraEnv status, and enforce least‑privilege principles for all user accounts.

Generated by OpenCVE AI on May 29, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat multicluster Engine For Kubernetes
Vendors & Products Redhat multicluster Engine For Kubernetes

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description ACM/MCE assisted-service writes raw referenced pull-secret contents into `InfraEnv.status.conditions[].message` when pull-secret validation fails. A namespace principal with the stock `view` ClusterRole cannot directly read Secrets, but can read `InfraEnv` objects and recover the referenced Secret's `.dockerconfigjson` data from status. This bypasses the Kubernetes/OpenShift RBAC separation between read-only namespace viewers and Secret readers. In the reproduced proof, the same ServiceAccount was denied `get` and `list` on Secrets, but recovered synthetic pull-secret `username`, `password`, `email`, and base64 `auth` fields through `InfraEnv.status`.
Title Assisted-service: assisted-service: infraenv status leaks referenced pull-secret contents to namespace view users
First Time appeared Redhat
Redhat multicluster Engine
Weaknesses CWE-201
CPEs cpe:/a:redhat:multicluster_engine
Vendors & Products Redhat
Redhat multicluster Engine
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

Redhat Multicluster Engine Multicluster Engine For Kubernetes
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-29T19:31:31.845Z

Reserved: 2026-05-29T15:07:59.753Z

Link: CVE-2026-10101

cve-icon Vulnrichment

Updated: 2026-05-29T19:31:27.488Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T16:16:24.483

Modified: 2026-05-29T16:29:34.540

Link: CVE-2026-10101

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-29T12:00:00Z

Links: CVE-2026-10101 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T17:45:04Z

Weaknesses