PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-7163 Red Hat CVE debrief

CVE-2026-7163 is a vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allowing an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. The vulnerability affects Red Hat Advanced Cluster Management (ACM) deployments that include MCE. Successful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters.

Vendor
Red Hat
Product
multicluster engine for Kubernetes 2.10
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-30
Original CVE updated
2026-06-30
Advisory published
2026-04-30
Advisory updated
2026-06-30

Who should care

Users of Multicluster Engine (MCE) and Red Hat Advanced Cluster Management (ACM) deployments that include MCE should be aware of this vulnerability. Specifically, administrators and users with access to the affected components should take immediate action to mitigate the vulnerability.

Technical summary

The vulnerability is caused by the credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials) and the kubeconfig download endpoint being operational in AUTH_TYPE=local mode, which is the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace.

Defensive priority

High priority should be given to patching the affected components, as the vulnerability allows for unauthorized access to administrative credentials. Defenders should also review their inventory of affected systems and prioritize patching based on risk and exposure.

Recommended defensive actions

  • Apply patches from Red Hat as soon as possible
  • Review and update access controls for the affected components
  • Monitor for suspicious activity related to the assisted-service REST API
  • Consider implementing additional security measures, such as network restrictions or enhanced authentication
  • Verify and update the inventory of affected systems
  • Test and validate patches before deployment

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, its impact, and affected components. Vendor advisories and errata are available from Red Hat, providing guidance on mitigation and patching.

Official resources

This article is AI-assisted and based on the supplied source corpus.