Description
A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRole. When Kueue or cert-manager CRDs are present on the cluster, any authenticated user can disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or induce cert-manager to overwrite TLS Secrets including the default ingress controller certificate.
Published: 2026-06-04
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The OpenShift Pipelines operator includes a ClusterRoleBinding named tekton-scheduler-rolebinding that, due to an incorrect permission assignment (CWE-732), grants the system:authenticated group write access to Kueue and cert‑manager custom resources. An attacker who is only authenticated to the cluster can therefore alter workload scheduling priorities, delete other tenants’ Workload objects, or force cert‑manager to overwrite TLS secrets, including the default ingress controller certificate, thereby compromising confidentiality, integrity, or availability of the cluster.

Affected Systems

This vulnerability affects Red Hat OpenShift Pipelines and related OpenShift Build products. No specific product versions are listed in the advisory, so the impact applies to any deployed instance of the OpenShift Pipelines operator, regardless of build version.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity. The EPSS score is < 1%, indicating a low probability of exploitation, but the lack of a KEV listing does not diminish the potential for active exploitation, especially since any authenticated user can abuse the over‑privileged binding. The likely attack vector is a legitimate authenticated session; once authenticated, the attacker can exploit the binding without additional permissions. Because the operator’s reconciliation loop may revert manual changes, exploitation is still viable until the issue is formally fixed.

Generated by OpenCVE AI on June 9, 2026 at 09:51 UTC.

Remediation

Vendor Workaround

If the Tekton Scheduler feature is not in use, administrators can mitigate this by patching the ClusterRoleBinding to reference a specific ServiceAccount instead of system:authenticated: oc patch clusterrolebinding tekton-scheduler-rolebinding --type=merge -p '{"subjects": [{"kind": "ServiceAccount", "name": "openshift-pipelines-operator", "namespace": "openshift-operators"}]}' IMPORTANT: The OpenShift Pipelines operator's reconciliation loop may revert this manual patch. Verify that the operator does not reconcile this binding back to system:authenticated after applying the mitigation. If it does, scale down the operator deployment or configure the operator to skip reconciliation of this object. Alternatively, the ClusterRoleBinding can be deleted if the Tekton Scheduler is not enabled.

OpenCVE Recommended Actions

  • Patch the tekton-scheduler-rolebinding to reference only the openshift-pipelines-operator service account using the provided oc patch command.
  • Verify that the OpenShift Pipelines operator does not automatically revert this patch; if it does, scale down the operator deployment or configure it to skip reconciliation of this object.
  • If the Tekton Scheduler feature is not required, delete the tekton-scheduler-rolebinding entirely to eliminate the privilege escalation vector.

Generated by OpenCVE AI on June 9, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H'}

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift
Vendors & Products Redhat openshift

Thu, 04 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRole. When Kueue or cert-manager CRDs are present on the cluster, any authenticated user can disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or induce cert-manager to overwrite TLS Secrets including the default ingress controller certificate.
Title Openshift-pipelines-operator-rh: openshift-pipelines-operator: tekton-scheduler-rolebinding grants system:authenticated write access to kueue and cert-manager resources
First Time appeared Redhat
Redhat openshift Builds
Redhat openshift Pipelines
Weaknesses CWE-732
CPEs cpe:/a:redhat:openshift_builds:1
cpe:/a:redhat:openshift_pipelines:1
Vendors & Products Redhat
Redhat openshift Builds
Redhat openshift Pipelines
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H'}

Subscriptions

Redhat Openshift Openshift Builds Openshift Pipelines
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-22T12:18:37.128Z

Reserved: 2026-06-04T11:29:18.169Z

Link: CVE-2026-10840

cve-icon Vulnrichment

Updated: 2026-06-04T13:12:02.813Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T12:16:24.813

Modified: 2026-06-09T09:16:28.380

Link: CVE-2026-10840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T10:00:07Z

Weaknesses
  • CWE-732

    Incorrect Permission Assignment for Critical Resource