PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10101 Red Hat CVE debrief

A vulnerability in the ACM/MCE assisted-service component allows unauthorized disclosure of pull-secret credentials through Kubernetes Custom Resource status fields. When pull-secret validation fails, the service writes the raw referenced Secret contents—including `.dockerconfigjson` data containing registry authentication credentials—into the `InfraEnv.status.conditions[].message` field. This creates an RBAC bypass where principals with only namespace `view` permissions (who cannot directly read Secrets) can recover sensitive credential data by reading `InfraEnv` objects. The vulnerability undermines Kubernetes/OpenShift's security model by exposing Secret data through a non-Secret read path.

Vendor
Red Hat
Product
Multicluster Engine for Kubernetes
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations running Red Hat ACM or MCE with assisted-service deployments; cluster administrators responsible for RBAC configuration; security teams monitoring for secret exfiltration paths in Kubernetes environments; compliance auditors assessing separation of duties between secret readers and resource viewers

Technical summary

The assisted-service component in Red Hat Advanced Cluster Management (ACM) and Multicluster Engine (MCE) improperly handles pull-secret validation failures by embedding the raw Secret contents into status condition messages. The `InfraEnv` Custom Resource Definition includes a `status.conditions` array where each condition contains a `message` field. When the referenced pull-secret fails validation, the service populates this message field with the complete Secret data rather than a sanitized error description. Because Kubernetes RBAC grants `view` ClusterRole holders read access to Custom Resources but not to Secrets, this creates an unintended information disclosure channel. An attacker with namespace-level view permissions can enumerate InfraEnv objects and extract registry credentials including usernames, passwords, email addresses, and base64-encoded authentication tokens from the status fields.

Defensive priority

medium

Recommended defensive actions

  • Audit InfraEnv objects in affected namespaces for sensitive data in status.conditions[].message fields
  • Review RBAC bindings to identify principals with view access to InfraEnv resources
  • Implement admission controls to prevent Secret data from being written to Custom Resource status fields
  • Monitor for anomalous read patterns on InfraEnv resources by non-Secret-reading principals
  • Apply vendor patches when available from Red Hat for ACM/MCE assisted-service components

Evidence notes

CVE published 2026-05-29T16:16:24.483Z; modified 2026-05-29T16:29:34.540Z. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N. Weakness classified as CWE-201 (Insertion of Sensitive Information Into Sent Data). Vendor evidence points to Red Hat based on reference domain analysis.

Official resources

2026-05-29