Description
A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. The WICD CSR auto-approver validates that a Certificate Signing Request contains the organization system:wicd-nodes but does not reject additional organization values such as system:masters. A compromised Windows worker node that holds WICD credentials can submit a CSR that is auto-approved and signed by the cluster, yielding a client certificate that grants cluster-administrator privileges and enabling full cluster takeover.
Published: 2026-06-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Windows Machine Config Operator causes automatically approved certificate signing requests that contain the organization system:wicd‑nodes to also accept additional organizations such as system:masters. A Windows worker node that has been compromised and holds WICD credentials can therefore submit a CSR that includes system:masters; the operator signs it without rejecting the extra value. This results in a client certificate that grants cluster‑administrator privileges, giving the attacker full control over the OpenShift environment and the ability to compromise confidentiality, integrity, and availability of all deployed workloads.

Affected Systems

The vulnerability affects every installation of Red Hat OpenShift Container Platform 4 and Red Hat OpenShift for Windows Containers that deploy the Windows Machine Config Operator. Because no specific version constraints are listed, all current releases of the WMCO component are potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.8 classifies this issue as high severity. The EPSS score is not available, so the precise likelihood of exploitation cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. The attack requires local compromise of a Windows node that holds WICD credentials; once those credentials are available, an attacker can request a CSR with the system:masters organization and obtain an administrator certificate, enabling a complete cluster takeover. The potential impact is therefore significant.

Generated by OpenCVE AI on June 22, 2026 at 15:07 UTC.

Remediation

Vendor Workaround

At this time, no mitigation or workaround is available for this vulnerability. Customers are advised to apply the appropriate updates as they become available.


OpenCVE Recommended Actions

  • Apply the latest OpenShift updates that contain the fix for the Windows Machine Config Operator
  • Revoke or remove the WICD credentials from all Windows worker nodes and enforce least‑privilege policies on node service accounts
  • Configure the cluster to reject CSRs that contain organization system:masters or disable automatic approval for that organization
  • Continuously monitor the cluster for the creation of unexpected administrator certificates and audit CSR requests

Generated by OpenCVE AI on June 22, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Container Platform
Redhat openshift For Windows Containers
Vendors & Products Redhat openshift Container Platform
Redhat openshift For Windows Containers

Tue, 23 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Mon, 22 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. The WICD CSR auto-approver validates that a Certificate Signing Request contains the organization system:wicd-nodes but does not reject additional organization values such as system:masters. A compromised Windows worker node that holds WICD credentials can submit a CSR that is auto-approved and signed by the cluster, yielding a client certificate that grants cluster-administrator privileges and enabling full cluster takeover.
Title Windows-machine-config-operator: windows-machine-config-operator: wicd csr extra-organization allows privilege escalation to system:masters
First Time appeared Redhat
Redhat openshift
Redhat windows Machine Config
Weaknesses CWE-269
CPEs cpe:/a:redhat:openshift:4
cpe:/a:redhat:windows_machine_config
Vendors & Products Redhat
Redhat openshift
Redhat windows Machine Config
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Redhat Openshift Openshift Container Platform Openshift For Windows Containers Windows Machine Config
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-30T12:10:48.667Z

Reserved: 2026-06-11T19:02:42.736Z

Link: CVE-2026-54099

cve-icon Vulnrichment

Updated: 2026-06-30T03:17:42.530Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-10T00:00:00Z

Links: CVE-2026-54099 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:41:27Z

Weaknesses
  • CWE-269

    Improper Privilege Management