CVE-2025-11060 is a vulnerability identified in the live query subscription mechanism of the database engine within Red Hat's OpenShift Service Mesh 3, specifically affecting versions 0, 2.2.0, 2.3.0, and 3.3.0. The flaw allows users with record-level or guest privileges to bypass intended access controls and observe unauthorized records within the same database table. This occurs through crafted LIVE SELECT subscriptions that exploit the way the system handles live query updates when other users modify or delete records. The vulnerability does not require high privileges—only low-level privileges—and some user interaction is necessary to trigger the unauthorized data exposure. The vulnerability impacts confidentiality by allowing unauthorized data viewing but does not affect data integrity or availability. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N) indicates network attack vector, low attack complexity, requires privileges, user interaction, unchanged scope, and high confidentiality impact. No known exploits have been reported in the wild as of the publication date (September 26, 2025). The vulnerability is classified as medium severity due to the balance of ease of exploitation and the impact on confidentiality without affecting integrity or availability.

For European organizations, this vulnerability poses a risk of unauthorized data disclosure within environments using the affected versions of OpenShift Service Mesh 3. Organizations relying on live query subscriptions for real-time data updates may inadvertently expose sensitive information to users who should not have access, potentially leading to data leakage of confidential or regulated data. This could impact compliance with GDPR and other data protection regulations, resulting in legal and reputational consequences. The vulnerability does not allow data modification or denial of service, limiting its impact to confidentiality breaches. However, the ease of exploitation with low privileges and user interaction means insider threats or compromised low-privilege accounts could leverage this flaw to escalate data access. This is particularly critical for sectors handling sensitive data such as finance, healthcare, and government services across Europe.

1. Apply official patches from Red Hat as soon as they are released to address CVE-2025-11060. 2. Until patches are available, restrict the use of live query subscriptions to trusted users only, minimizing the number of users with record or guest privileges capable of initiating such queries. 3. Implement strict access control policies and regularly audit user permissions related to database query subscriptions. 4. Monitor live query subscription activity for unusual patterns or attempts to access unauthorized records, using logging and anomaly detection tools. 5. Educate users about the risks of interacting with crafted live queries and enforce multi-factor authentication to reduce the risk of compromised accounts. 6. Consider network segmentation and isolation of critical OpenShift Service Mesh deployments to limit exposure. 7. Engage with Red Hat support for guidance on interim mitigations and best practices specific to your deployment environment.