Vulnerabilities ›

CVE-2026-10840

High

CWE-732 — Weakness Type

                    Published: Jun 4, 2026                      ·  Modified: Jun 10, 2026                      ·  Source: NVD                

CVSS v3

7.1

🔗 NVD Official

📄 Description (English)

A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRole. When Kueue or cert-manager CRDs are present on the cluster, any authenticated user can disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or induce cert-manager to overwrite TLS Secrets including the default ingress controller certificate.

🤖 AI Executive Summary

CVE-2026-10840 is a privilege escalation vulnerability in OpenShift Pipelines operator affecting RBAC configurations. Any authenticated user can gain unauthorized write access to Kueue and cert-manager resources, enabling workload disruption, scheduling tampering, and TLS certificate manipulation. With CVSS 7.1 and no patch currently available, this poses significant risk to containerized infrastructure in Saudi organizations running OpenShift.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Jun 9, 2026 12:54

🇸🇦 Saudi Arabia Impact Assessment

Critical impact for Saudi government entities (NCA, CITC), financial institutions (SAMA-regulated banks, fintech), and energy sector (ARAMCO, utilities) running OpenShift Kubernetes clusters. Telecommunications providers (STC, Mobily) and healthcare organizations using containerized workloads face workload disruption and certificate tampering risks. The vulnerability enables lateral movement and denial of service attacks against mission-critical infrastructure. Saudi cloud service providers offering OpenShift-based services are particularly exposed.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Energy and Utilities Telecommunications Healthcare Cloud Service Providers Critical Infrastructure

🎯 MITRE ATT&CK Techniques

T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt T1098.001 - Account Manipulation: Additional Cloud Credentials T1526 - Cloud Service Discovery T1578.003 - Modify Cloud Compute Infrastructure: Delete Cloud Compute Resources T1552.007 - Unsecured Credentials: Container API T1199 - Trusted Relationship T1021.006 - Remote Services: OpenSSH

⚖️ Saudi Risk Score (AI)

7.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Audit all OpenShift clusters for presence of Kueue and cert-manager CRDs using: kubectl get crd | grep -E 'kueue|cert-manager'

2. Review tekton-scheduler-rolebinding permissions: kubectl get clusterrolebinding tekton-scheduler-rolebinding -o yaml

3. Restrict system:authenticated group access by removing overly permissive bindings

4. Implement network policies to limit inter-pod communication



COMPENSATING CONTROLS (until patch available):

5. Create custom RBAC policies limiting write access to Kueue/cert-manager resources to service accounts only

6. Implement Pod Security Standards (PSS) to restrict container capabilities

7. Enable audit logging for all ClusterRoleBinding modifications

8. Use admission controllers (OPA/Gatekeeper) to prevent unauthorized resource modifications

9. Segregate Kueue and cert-manager namespaces with NetworkPolicies

10. Monitor for suspicious cert-manager Secret modifications using: kubectl logs -n cert-manager deployment/cert-manager



DETECTION RULES:

- Alert on any write operations to kueue.x-k8s.io/* resources by non-service accounts

- Monitor cert-manager Secret modifications in default and ingress-related namespaces

- Track ClusterRoleBinding changes affecting system:authenticated group

- Flag Workload object deletions across namespaces

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تدقيق جميع مجموعات OpenShift للتحقق من وجود Kueue و cert-manager CRDs باستخدام: kubectl get crd | grep -E 'kueue|cert-manager'

2. مراجعة أذونات tekton-scheduler-rolebinding: kubectl get clusterrolebinding tekton-scheduler-rolebinding -o yaml

3. تقييد وصول مجموعة system:authenticated بإزالة الربطات المفرطة في الأذونات

4. تنفيذ سياسات الشبكة لتحديد اتصالات البودات

الضوابط البديلة (حتى توفر التصحيح):

5. إنشاء سياسات RBAC مخصصة تقيد الوصول للكتابة إلى موارد Kueue/cert-manager لحسابات الخدمة فقط

6. تنفيذ معايير أمان البودات (PSS) لتقييد قدرات الحاويات

7. تفعيل تسجيل التدقيق لجميع تعديلات ClusterRoleBinding

8. استخدام متحكمات القبول (OPA/Gatekeeper) لمنع التعديلات غير المصرح بها على الموارد

9. فصل مساحات أسماء Kueue و cert-manager باستخدام NetworkPolicies

10. مراقبة تعديلات Secret في cert-manager باستخدام: kubectl logs -n cert-manager deployment/cert-manager

قواعد الكشف:

- تنبيهات على أي عمليات كتابة إلى موارد kueue.x-k8s.io/* من قبل حسابات غير الخدمة

- مراقبة تعديلات Secret في cert-manager في مساحات الأسماء الافتراضية والمتعلقة بالدخول

- تتبع تغييرات ClusterRoleBinding التي تؤثر على مجموعة system:authenticated

- تحديد حذف كائنات Workload عبر مساحات الأسماء

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Access Control Policy (RBAC misconfiguration) ECC 2024 A.5.2.1 - User Registration and De-registration (authenticated user privilege escalation) ECC 2024 A.5.3.1 - Access Rights Review (overly permissive ClusterRoleBinding) ECC 2024 A.8.1.1 - Information Security Awareness (container security risks) ECC 2024 A.12.4.1 - Event Logging (audit trail for resource modifications)

🔵 SAMA CSF

SAMA CSF ID.AM-1 - Asset Management (inventory of OpenShift clusters with vulnerable operators) SAMA CSF PR.AC-1 - Access Control (RBAC policy enforcement) SAMA CSF PR.AC-4 - Access Management (least privilege principle violation) SAMA CSF DE.AE-1 - Anomalies and Events (detection of unauthorized resource access) SAMA CSF RS.MI-2 - Incident Response (containment of privilege escalation)

🟡 ISO 27001:2022

ISO 27001:2022 A.5.2 - Information Security Policies (access control policy) ISO 27001:2022 A.6.2 - Internal Organization (segregation of duties) ISO 27001:2022 A.8.2 - Asset Management (inventory and classification) ISO 27001:2022 A.9.1 - Access Control (user access management) ISO 27001:2022 A.9.2 - User Access Management (least privilege) ISO 27001:2022 A.12.4 - Logging (activity logging and monitoring)

🟣 PCI DSS v4.0.1

PCI DSS 2.1 - Default Security Parameters (secure RBAC configuration) PCI DSS 6.2 - Security Patches (timely patching of operators) PCI DSS 7.1 - Least Privilege Access (RBAC enforcement) PCI DSS 10.2 - User Access Logging (audit trails for resource modifications)

🔗 References & Sources 2

🔗

https://access.redhat.com/security/cve/CVE-2026-10840

secalert@redhat.com

🔗

https://bugzilla.redhat.com/show_bug.cgi?id=2484720

secalert@redhat.com

📊 CVSS Score

7.1

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityL — Low / Local

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.1

CWECWE-732

EPSS0.02%

Exploit No

Patch ✗ No

Published 2026-06-04

Source Feed nvd

🇸🇦 Saudi Risk Score

7.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-732

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-10840

Introduce Yourself

Sign In Required