CVE-2025-11060 is an authorization bypass vulnerability discovered in the live query subscription mechanism of the database engine used by Red Hat's OpenShift Service Mesh 3. The vulnerability allows users with record-level or guest privileges to craft LIVE SELECT subscription queries that exploit the way the system handles record alterations or deletions by other users. This flaw enables unauthorized observation of records within the same database table that the attacker should not have access to, effectively bypassing the intended access control policies. The vulnerability affects multiple versions of OpenShift Service Mesh 3, specifically versions 0, 2.2.0, 2.3.0, and 3.3.0. The CVSS v3.1 score is 5.7, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), and user interaction (UI:R). The scope is unchanged (S:U), and the impact is high on confidentiality (C:H) but none on integrity (I:N) or availability (A:N). This means an attacker can read unauthorized data but cannot modify or disrupt the system. No public exploits or active exploitation have been reported yet. The flaw arises from improper authorization checks in the live query subscription feature, which is designed to provide real-time updates on database changes. When other users alter or delete records, the crafted subscription can leak data that should be restricted. This vulnerability is particularly concerning in multi-tenant environments or where sensitive data is stored in the same tables accessible by different user roles.

The primary impact of CVE-2025-11060 is unauthorized disclosure of sensitive data due to bypassed access controls in the live query subscription mechanism. Organizations using affected versions of OpenShift Service Mesh 3 may experience confidentiality breaches, potentially exposing sensitive or regulated information to unauthorized users with limited privileges. This can lead to compliance violations, reputational damage, and increased risk of further attacks leveraging leaked data. Since the vulnerability does not affect data integrity or availability, the risk of data manipulation or service disruption is low. However, the ease of exploitation with low privileges and user interaction means attackers inside the network or with limited access could leverage this flaw to escalate data access. Multi-tenant cloud environments, managed service providers, and enterprises with strict data segregation requirements are particularly vulnerable. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as threat actors may develop exploits once the vulnerability details are widely known.

To mitigate CVE-2025-11060, organizations should prioritize upgrading to patched versions of OpenShift Service Mesh 3 once available from Red Hat. Until patches are released, administrators should restrict access to the live query subscription feature, limiting it to trusted users only. Implement strict network segmentation and access controls to reduce exposure of the affected service to untrusted or low-privilege users. Monitor logs for unusual subscription queries or patterns indicative of crafted LIVE SELECT subscriptions attempting to bypass access controls. Employ role-based access control (RBAC) policies to minimize privileges granted to record or guest users, especially restricting their ability to initiate live queries. Consider disabling live query subscriptions if they are not essential for operational needs. Additionally, conduct regular security audits and penetration testing focused on database access controls and subscription mechanisms. Stay informed on Red Hat advisories for official patches and guidance.