CVE-2026-54099 Red Hat CVE debrief

Who should care

Red Hat OpenShift Container Platform users, particularly those with Windows worker nodes, should be aware of this vulnerability. Cluster administrators and security teams must assess their exposure and take steps to mitigate the risk. This vulnerability can lead to full cluster takeover, making it a high-priority issue.

Technical summary

The Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform has a flaw in the WICD CSR auto-approver. It validates that a Certificate Signing Request contains the organization system:wicd-nodes but does not reject additional organization values such as system:masters. A compromised Windows worker node holding WICD credentials can submit a CSR that is auto-approved and signed by the cluster. This yields a client certificate granting cluster-administrator privileges, enabling full cluster takeover. The vulnerability's CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Defensive priority

High priority due to potential for full cluster takeover

Recommended defensive actions

• Review and update the Windows Machine Config Operator (WMCO) to ensure proper validation of Certificate Signing Requests.
• Implement compensating controls to limit the impact of a compromised Windows worker node.
• Monitor Certificate Signing Requests for suspicious activity.
• Restrict access to cluster-administrator privileges.
• Verify the integrity of Windows worker nodes and their credentials.

Evidence notes

The primary evidence for this vulnerability comes from the NVD and Red Hat sources. The vulnerability affects Red Hat OpenShift Container Platform with Windows worker nodes. The WICD CSR auto-approver's improper validation of Certificate Signing Requests is the root cause. Defenders should verify the CVSS score, vector, and references from official sources.

Official resources