PatchSiren cyber security CVE debrief
CVE-2026-7163 Red Hat CVE debrief
CVE-2026-7163 is a vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allowing an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. The vulnerability affects Red Hat Advanced Cluster Management (ACM) deployments that include MCE. Successful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters.
- Vendor
- Red Hat
- Product
- multicluster engine for Kubernetes 2.10
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-30
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-30
- Advisory updated
- 2026-06-30
Who should care
Users of Multicluster Engine (MCE) and Red Hat Advanced Cluster Management (ACM) deployments that include MCE should be aware of this vulnerability. Specifically, administrators and users with access to the affected components should take immediate action to mitigate the vulnerability.
Technical summary
The vulnerability is caused by the credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials) and the kubeconfig download endpoint being operational in AUTH_TYPE=local mode, which is the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace.
Defensive priority
High priority should be given to patching the affected components, as the vulnerability allows for unauthorized access to administrative credentials. Defenders should also review their inventory of affected systems and prioritize patching based on risk and exposure.
Recommended defensive actions
- Apply patches from Red Hat as soon as possible
- Review and update access controls for the affected components
- Monitor for suspicious activity related to the assisted-service REST API
- Consider implementing additional security measures, such as network restrictions or enhanced authentication
- Verify and update the inventory of affected systems
- Test and validate patches before deployment
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, its impact, and affected components. Vendor advisories and errata are available from Red Hat, providing guidance on mitigation and patching.
Official resources
-
CVE-2026-7163 CVE record
CVE.org
-
CVE-2026-7163 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
- Source reference
- Source reference
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
This article is AI-assisted and based on the supplied source corpus.