CVE Catalog

CVE-2026-10101

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile - higher than 8% of all known CVEs

Summary

The ACM/MCE assisted-service component writes raw pull-secret data into `InfraEnv.status.conditions[].message` when pull-secret validation fails. This allows a namespace principal with the `view` ClusterRole to read sensitive authentication data from InfraEnv objects, bypassing RBAC restrictions on Secrets.

Risk Assessment

The organization is at risk of leaking authentication credentials (username, password, email, base64 auth) to image registries, potentially leading to unauthorized access to container registries and privilege escalation within the cluster.

Recommendation

Immediately update the assisted-service component to a version that does not expose raw pull-secret data in InfraEnv status. Until the update, restrict access to InfraEnv objects to trusted principals only.

Original NVD description (English source)

ACM/MCE assisted-service writes raw referenced pull-secret contents into `InfraEnv.status.conditions[].message` when pull-secret validation fails. A namespace principal with the stock `view` ClusterRole cannot directly read Secrets, but can read `InfraEnv` objects and recover the referenced Secret's `.dockerconfigjson` data from status. This bypasses the Kubernetes/OpenShift RBAC separation between read-only namespace viewers and Secret readers. In the reproduced proof, the same ServiceAccount was denied `get` and `list` on Secrets, but recovered synthetic pull-secret `username`, `password`, `email`, and base64 `auth` fields through `InfraEnv.status`.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS