A flaw in the OpenShift Router allows an attacker to forge X-SSL-Client-* headers because the HTTP frontend fails to strip them when the Route has insecureEdgeTerminationPolicy set to Allow. This lets an unauthenticated attacker send plain HTTP requests that carry fabricated client‑certificate information, tricking backends that rely on those headers for mutual TLS authentication into believing the request originates from an authenticated client. The result is that the attacker can impersonate legitimate client identities and potentially gain unauthorized access to the protected services.

The vulnerability applies to Red Hat OpenShift Container Platform 4. Any installation that exposes routes with the insecureEdgeTerminationPolicy value of Allow and relies on X-SSL-Client-* headers for mutual‑TLS identity verification is at risk. This includes all OpenShift 4 clusters that have enabled insecure edge termination without additional header stripping.

The flaw has a CVSS base score of 7.4, indicating a high severity. Because the attack can be performed over plain HTTP, it is remotely exploitable to any host that receives the HTTP request. The EPSS score is not available, but the lack of listing in the CISA KEV catalogue suggests no publicly known exploits yet. Nonetheless, the potential to impersonate client certificates is a significant security risk that should be treated with urgency.