PatchSiren cyber security CVE debrief
CVE-2026-10840 Red Hat CVE debrief
A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRole. When Kueue or cert-manager CRDs are present on the cluster, any authenticated user can disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or induce cert-manager to overwrite TLS Secrets including the default ingress controller certificate.
- Vendor
- Red Hat
- Product
- Builds for Red Hat OpenShift
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-09
Who should care
Users of OpenShift Pipelines operator, particularly those with Kueue or cert-manager CRDs present on their clusters.
Technical summary
The OpenShift Pipelines operator has a flaw in the tekton-scheduler-rolebinding ClusterRoleBinding, which grants write access to Kueue and cert-manager custom resources to the system:authenticated group. This allows any authenticated user to disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or induce cert-manager to overwrite TLS Secrets.
Defensive priority
HIGH
Recommended defensive actions
- Review and restrict the permissions granted to the system:authenticated group.
- Ensure that Kueue and cert-manager CRDs are not present on the cluster or restrict access to them.
- Monitor for suspicious activity related to workload scheduling and cert-manager.
Evidence notes
The CVE-2026-10840 record was obtained from the NVD database, which lists the CVSS score as 7.1 and the severity as HIGH.
Official resources
CVE-2026-10840 was published on 2026-06-04T12:16:24.813Z and modified on 2026-06-09T09:16:28.380Z.