Description
A flaw was found in Open Cluster Management (OCM), the technology underlying Red Hat Advanced Cluster Management (ACM). Improper validation of Kubernetes client certificate renewal allows a managed cluster administrator to forge a client certificate that can be approved by the OCM controller. This enables cross-cluster privilege escalation and may allow an attacker to gain control over other managed clusters, including the hub cluster.
Published: 2026-04-07
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑cluster privilege escalation
Action: Immediate Patch
AI Analysis

Impact

Improper validation of Kubernetes client certificate renewal in Open Cluster Management (OCM) allows a managed‑cluster administrator to forge a client certificate that the OCM controller will approve. The forged certificate can be used to impersonate higher‑privilege identities across clusters, enabling the attacker to gain control over the hub cluster and any other managed clusters in the environment. The vulnerability leads to a full compromise of confidentiality, integrity, and availability for all clusters connected through OCM.

Affected Systems

Red Hat Multicluster Engine for Kubernetes is the affected product. No specific affected version information was supplied, so any installation of this product should be evaluated to determine if it is running an unpatched version of OCM.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity. The EPSS score is not available, but the lack of a KEV listing suggests it is not a widely discovered exploit yet. The most likely attack vector is an internal one; an attacker who has administrative privileges on a managed cluster can forge a certificate and submit it for renewal. If the OCM controller accepts the forged certificate, the attacker can then perform actions on the hub and other clusters with elevated privileges. The exploit does not require external network access beyond the normal OCM traffic. Given the severity and potential impact, the risk is considered high.

Generated by OpenCVE AI on April 7, 2026 at 20:05 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Upgrade Red Hat Multicluster Engine for Kubernetes to the latest version that contains the OCM certificate renewal validation fix.
  • If an update is not immediately available, restrict administrative access on managed clusters and isolate them from the hub cluster until the vendor releases a patch.
  • Verify that Kubernetes client certificate renewal is properly validated on the hub and all managed clusters.
  • Monitor certificate generation and renewal logs for anomalous or duplicate certificate requests that could indicate an attempt to forge credentials.

Generated by OpenCVE AI on April 7, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q4gv-pjmh-c735 Open Cluster Management (OCM): Cross-cluster privilege escalation via improper Kubernetes client certificate renewal validation
History

Tue, 28 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat advanced Cluster Management For Kubernetes
CPEs cpe:2.3:a:redhat:advanced_cluster_management_for_kubernetes:-:*:*:*:*:*:*:*
Vendors & Products Redhat advanced Cluster Management For Kubernetes

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Open Cluster Management (OCM), the technology underlying Red Hat Advanced Cluster Management (ACM). Improper validation of Kubernetes client certificate renewal allows a managed cluster administrator to forge a client certificate that can be approved by the OCM controller. This enables cross-cluster privilege escalation and may allow an attacker to gain control over other managed clusters, including the hub cluster.
Title Rhacm: open cluster management (ocm): cross-cluster privilege escalation via improper kubernetes client certificate renewal validation
First Time appeared Redhat
Redhat multicluster Engine
Weaknesses CWE-295
CPEs cpe:/a:redhat:multicluster_engine
Vendors & Products Redhat
Redhat multicluster Engine
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Redhat Advanced Cluster Management For Kubernetes Multicluster Engine
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-09T14:40:43.580Z

Reserved: 2026-03-24T03:19:46.998Z

Link: CVE-2026-4740

cve-icon Vulnrichment

Updated: 2026-04-09T14:40:40.356Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T15:17:46.797

Modified: 2026-04-28T20:39:15.040

Link: CVE-2026-4740

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-07T14:00:35Z

Links: CVE-2026-4740 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:48:47Z

Weaknesses