Vulnerabilities ›

CVE-2026-4740

High

CWE-295 — Weakness Type

                    Published: Apr 7, 2026                      ·  Modified: Apr 14, 2026                      ·  Source: NVD                

CVSS v3

8.2

🔗 NVD Official

📄 Description (English)

A flaw was found in Open Cluster Management (OCM), the technology underlying Red Hat Advanced Cluster Management (ACM). Improper validation of Kubernetes client certificate renewal allows a managed cluster administrator to forge a client certificate that can be approved by the OCM controller. This enables cross-cluster privilege escalation and may allow an attacker to gain control over other managed clusters, including the hub cluster.

🤖 AI Executive Summary

CVE-2026-4740 is a critical certificate validation flaw in Open Cluster Management affecting Kubernetes environments. A managed cluster administrator can forge client certificates to escalate privileges across clusters, potentially compromising the hub cluster and all managed infrastructure. With a CVSS score of 8.2 and no patch currently available, this poses immediate risk to organizations running Red Hat ACM in production environments.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 25, 2026 05:48

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations operating Red Hat Advanced Cluster Management face critical risk, particularly: (1) ARAMCO and energy sector operators managing distributed Kubernetes clusters for industrial control systems; (2) SAMA-regulated financial institutions using ACM for multi-cluster banking infrastructure; (3) Government entities (NCA, NCSC) managing national cloud infrastructure; (4) Telecom providers (STC, Mobily) operating containerized services across multiple clusters; (5) Healthcare organizations managing patient data across federated Kubernetes environments. The cross-cluster privilege escalation capability enables attackers to move laterally from managed clusters to hub clusters, potentially compromising entire infrastructure ecosystems.

🏢 Affected Saudi Sectors

Energy (ARAMCO, oil & gas operations) Banking and Financial Services (SAMA-regulated institutions) Government (NCA, NCSC, federal agencies) Telecommunications (STC, Mobily, Zain) Healthcare (Ministry of Health, private hospitals) Cloud Infrastructure Providers Critical Infrastructure Operators

🎯 MITRE ATT&CK Techniques

T1550.001 - Use Alternate Authentication Material: Application Access Token T1556 - Modify Authentication Process T1187 - Forced Authentication T1134.003 - Access Token Manipulation: Token Impersonation/Theft T1098.003 - Account Manipulation: Additional Cloud Credentials T1199 - Trusted Relationship T1021.006 - Remote Services: Kubernetes API

⚖️ Saudi Risk Score (AI)

8.7

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Inventory all Red Hat Advanced Cluster Management (ACM) deployments and identify hub and managed clusters

2. Restrict administrative access to managed clusters to trusted personnel only

3. Implement network segmentation between hub cluster and managed clusters

4. Enable audit logging for all certificate-related operations in Kubernetes API servers

5. Monitor for suspicious certificate signing requests (CSRs) and approvals

COMPENSATING CONTROLS (until patch available):

6. Implement webhook admission controllers to validate certificate requests against whitelist of authorized certificate subjects

7. Deploy network policies to restrict communication from managed clusters to hub cluster control plane

8. Use RBAC to limit certificate approval permissions to dedicated service accounts with enhanced monitoring

9. Implement certificate pinning for hub-to-managed cluster communication

10. Deploy runtime security monitoring (Falco/Sysdig) to detect unauthorized certificate operations

DETECTION RULES:

- Alert on CertificateSigningRequest objects with suspicious subject names or organizations

- Monitor for approval of CSRs by non-standard approvers

- Track certificate renewal patterns outside normal maintenance windows

- Alert on failed certificate validations in OCM controller logs

- Monitor for cross-cluster API calls using forged certificates

PATCHING:

11. Subscribe to Red Hat security advisories for CVE-2026-4740 patch release

12. Plan immediate patching upon availability with change management approval

13. Test patches in non-production ACM environments first

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. قم بحصر جميع نشرات Red Hat Advanced Cluster Management وتحديد مجموعات المركز والمجموعات المُدارة

2. قيّد الوصول الإداري إلى المجموعات المُدارة للموظفين الموثوقين فقط

3. طبّق تقسيم الشبكة بين مجموعة المركز والمجموعات المُدارة

4. فعّل تسجيل التدقيق لجميع العمليات المتعلقة بالشهادات في خوادم Kubernetes API

5. راقب طلبات توقيع الشهادات (CSRs) والموافقات المريبة

الضوابط التعويضية (حتى توفر التصحيح):

6. طبّق متحكمات قبول webhook للتحقق من طلبات الشهادات مقابل قائمة بيضاء للموضوعات المصرح بها

7. نشّر سياسات الشبكة لتقييد الاتصال من المجموعات المُدارة إلى مستوى التحكم في مجموعة المركز

8. استخدم RBAC لتحديد أذونات الموافقة على الشهادات لحسابات الخدمة المخصصة مع المراقبة المحسّنة

9. طبّق تثبيت الشهادات لاتصالات مجموعة المركز بالمجموعات المُدارة

10. نشّر مراقبة أمان وقت التشغيل (Falco/Sysdig) للكشف عن عمليات الشهادات غير المصرح بها

قواعد الكشف:

- تنبيهات على كائنات CertificateSigningRequest ذات أسماء موضوعات أو منظمات مريبة

- مراقبة موافقة CSRs من قبل معتمدين غير قياسيين

- تتبع أنماط تجديد الشهادات خارج نوافذ الصيانة العادية

- تنبيهات على فشل التحقق من الشهادات في سجلات متحكم OCM

- مراقبة استدعاءات API عبر المجموعات باستخدام شهادات مزيفة

التصحيح:

11. اشترك في استشارات أمان Red Hat لإصدار تصحيح CVE-2026-4740

12. خطّط للتصحيح الفوري عند توفره مع موافقة إدارة التغيير

13. اختبر التصحيحات في بيئات ACM غير الإنتاجية أولاً

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.9.2.1 - User access management and authentication ECC 2024 A.9.4.3 - Password management systems ECC 2024 A.10.1.1 - Information security perimeter ECC 2024 A.12.6.1 - Management of technical vulnerabilities

🔵 SAMA CSF

SAMA CSF 1.1 - Governance and Risk Management SAMA CSF 2.2 - Access Control and Authentication SAMA CSF 3.1 - Cryptography and Key Management SAMA CSF 4.2 - Vulnerability and Patch Management

🟡 ISO 27001:2022

ISO 27001:2022 A.5.15 - Access control ISO 27001:2022 A.8.3 - Cryptography ISO 27001:2022 A.8.6 - Management of technical vulnerabilities ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities and exposures

🟣 PCI DSS v4.0.1

PCI DSS 2.1 - Security configuration standards PCI DSS 6.2 - Security patches and updates PCI DSS 8.2 - User identification and authentication

🔗 References & Sources 3

🔗

https://access.redhat.com/security/cve/CVE-2026-4740

secalert@redhat.com

🔗

https://blog.arfevrier.fr/open-cluster-management-cross-cluster-escape/

secalert@redhat.com

🔗

https://bugzilla.redhat.com/show_bug.cgi?id=2450590

secalert@redhat.com

📊 CVSS Score

8.2

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredH — High

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.2

CWECWE-295

EPSS0.01%

Exploit No

Patch ✗ No

Published 2026-04-07

Source Feed nvd

🇸🇦 Saudi Risk Score

8.7

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-295

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-4740

💬 Comments

Introduce Yourself

Sign In Required