Description
A flaw was found in the OpenShift Router. A user with EndpointSlice write access can exploit this vulnerability by creating a Service backed by an FQDN (Fully Qualified Domain Name) EndpointSlice that resolves to a cloud metadata endpoint. This allows the router to proxy requests to the cloud metadata endpoint, leading to the disclosure of instance credentials and other sensitive metadata. This bypasses previous security measures for validating IP addresses.
Published: 2026-05-29
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw was discovered in the OpenShift Router that allows a user with write access to EndpointSlices to create a Service backed by an FQDN EndpointSlice. If the FQDN resolves to a cloud metadata endpoint, the router proxies the request to that endpoint, exposing instance credentials and other sensitive metadata. This functionality bypasses prior validation of destination IP addresses, enabling a server side request forgery that can leak privileged data.

Affected Systems

The vulnerability affects Red Hat OpenShift Container Platform 4. Any deployment of this version that has the router component and permits write access to EndpointSlices is potentially impacted.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity, and while the EPSS score is unavailable, the lack of inclusion in the CISA KEV catalog suggests no publicly known exploits yet. Attacks require an attacker to create or modify an EndpointSlice with a malicious FQDN and possess write permissions to inject it into the router's service definition. Once configured, the router will make outbound HTTP requests to the resolved metadata service, exposing credentials in the cluster.

Generated by OpenCVE AI on May 29, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest OpenShift Container Platform patches that address the SSRF flaw
  • Restrict EndpointSlice write permissions to a minimal set of trusted users only
  • Audit router configuration to reject any EndpointSlice that resolves to known cloud metadata service addresses or IP ranges
  • Enforce network segmentation or firewall rules to block outbound traffic from cluster nodes to cloud metadata IP ranges

Generated by OpenCVE AI on May 29, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Container Platform
Vendors & Products Redhat openshift Container Platform

Fri, 29 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in the OpenShift Router. A user with EndpointSlice write access can exploit this vulnerability by creating a Service backed by an FQDN (Fully Qualified Domain Name) EndpointSlice that resolves to a cloud metadata endpoint. This allows the router to proxy requests to the cloud metadata endpoint, leading to the disclosure of instance credentials and other sensitive metadata. This bypasses previous security measures for validating IP addresses.
Title Openshift/router: openshift/router: cloud metadata ssrf via fqdn-typed endpointslice bypasses destination validation
First Time appeared Redhat
Redhat openshift
Weaknesses CWE-918
CPEs cpe:/a:redhat:openshift:4
Vendors & Products Redhat
Redhat openshift
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Redhat Openshift Openshift Container Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-29T09:50:44.429Z

Reserved: 2026-05-28T06:07:06.564Z

Link: CVE-2026-42965

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T11:16:16.923

Modified: 2026-05-29T14:06:47.240

Link: CVE-2026-42965

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T14:30:36Z

Weaknesses