Description
A flaw was found in the gorch service template, which is part of the trustyai-service-operator. Even when authentication is enabled, the gorch service exposes unproxied orchestrator and detector metrics ports. This allows any pod on the cluster network to directly access these ports, bypassing the kube-rbac-proxy and its authentication mechanisms. This could lead to unauthorized access to the orchestrator and detector metrics.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Wed, 08 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 08 Jul 2026 15:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in the gorch service template, which is part of the trustyai-service-operator. Even when authentication is enabled, the gorch service exposes unproxied orchestrator and detector metrics ports. This allows any pod on the cluster network to directly access these ports, bypassing the kube-rbac-proxy and its authentication mechanisms. This could lead to unauthorized access to the orchestrator and detector metrics. | |
| Title | Trustyai-service-operator: trustyai service operator: gorch port bypass when auth is enabled | |
| First Time appeared |
Redhat
Redhat openshift Ai |
|
| Weaknesses | CWE-306 | |
| CPEs | cpe:/a:redhat:openshift_ai | |
| Vendors & Products |
Redhat
Redhat openshift Ai |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2026-07-08T15:56:34.556Z
Reserved: 2026-07-08T14:31:24.772Z
Link: CVE-2026-15063
Updated: 2026-07-08T15:56:31.003Z
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-306
Missing Authentication for Critical Function