Description
A flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions rather than being restricted to cluster-owned resources, enabling cross-scope impact after credential compromise.
Published: 2026-06-04
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The OpenShift Cloud Credential Operator Mint‑mode IAM policies provision operator credentials with account‑wide scope for destructive actions. If the credentials are compromised, an attacker can perform destructive IAM operations beyond the intended cluster scope, potentially affecting any resource in the AWS account. This privilege escalation corresponds to CWE‑250, which represents a misuse of privileges.

Affected Systems

The flaw affects Red Hat OpenShift Container Platform 4. No specific sub‑version ranges were defined in the advisory, so all installations running this platform that use Mint mode are potentially vulnerable.

Risk and Exploitability

The CVSS base score of 7.2 indicates a high severity, while the absence of an EPSS score means current data is limited but does not negate the risk. The vulnerability is not yet in the CISA KEV catalog, but it remains a significant risk for any cluster employing Mint mode. Exploitation requires obtaining the operator credentials, which could be achieved through misconfiguration, insider threats, or credential theft. Once in possession, the attacker can issue destructive IAM actions across the entire AWS account.

Generated by OpenCVE AI on June 4, 2026 at 13:50 UTC.

Remediation

Vendor Workaround

Migrate from CCO Mint mode to STS mode (AWS Security Token Service), which eliminates long-lived IAM users and uses short-lived role-scoped OIDC tokens. Alternatively, switch to CCO Manual mode or Passthrough mode. If mode migration is not immediately feasible, manually restrict the IAM policies on CCO-provisioned IAM users by adding tag-based conditions scoping destructive actions to resources tagged with kubernetes.io/cluster/<infraName>=owned. For S3 actions, restrict Resource to the specific registry bucket ARN rather than "*". Enterprise defense-in-depth: deploy AWS Service Control Policies (SCPs) to deny destructive actions from non-approved principals, and apply IAM Permission Boundaries to CCO-created users.

OpenCVE Recommended Actions

  • Migrate the Cloud Credential Operator from Mint mode to STS mode to eliminate long‑lived IAM users and use short‑lived role‑scoped OIDC tokens.
  • If mode migration is not possible, switch the operator to Manual mode or Passthrough mode as an alternative.
  • Limit the IAM policies assigned to CCO‑created users by adding tag‑based conditions that scope destructive actions to resources tagged kubernetes.io/cluster/<infraName>=owned, and restrict S3 resource ARNs to the specific registry bucket instead of "*".
  • Deploy AWS Service Control Policies that deny destructive actions for non‑approved principals and apply IAM Permission Boundaries to CCO‑created users.

Generated by OpenCVE AI on June 4, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Container Platform
Vendors & Products Redhat openshift Container Platform

Thu, 04 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions rather than being restricted to cluster-owned resources, enabling cross-scope impact after credential compromise.
Title Cloud-credential-operator: cco mint-mode credentialsrequest manifests grant account-wide iam access beyond cluster scope on aws
First Time appeared Redhat
Redhat openshift
Weaknesses CWE-250
CPEs cpe:/a:redhat:openshift:4
Vendors & Products Redhat
Redhat openshift
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Redhat Openshift Openshift Container Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-04T14:25:15.779Z

Reserved: 2026-06-04T11:52:56.953Z

Link: CVE-2026-10843

cve-icon Vulnrichment

Updated: 2026-06-04T14:25:11.568Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T12:16:24.970

Modified: 2026-06-04T15:35:18.623

Link: CVE-2026-10843

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T07:45:35Z

Weaknesses
  • CWE-250

    Execution with Unnecessary Privileges