CVE-2025-12103 identifies a privilege misconfiguration vulnerability in the TrustyAI component of Red Hat OpenShift AI 3.0. TrustyAI creates a role named 'trustyai-service-operator-lmeval-user-role' and a cluster role binding 'trustyai-service-operator-default-lmeval-user-rolebinding' that is bound to the 'system:authenticated' group. This binding inadvertently grants every authenticated user and service account in the cluster permissions to perform 'get', 'list', and 'watch' operations on pods across all namespaces. Additionally, users gain access to all persistent volume claims and lmevaljobs resources. This broad permission set exposes potentially sensitive cluster information, such as pod metadata and storage claims, to any authenticated entity, violating the principle of least privilege. The vulnerability is exploitable remotely without user interaction and requires only low privileges to leverage, making it easier for attackers with minimal access to gather intelligence about cluster workloads and storage. While the vulnerability does not allow modification or deletion of resources, the unauthorized disclosure of cluster resource information can facilitate further attacks or reconnaissance. The CVSS 3.1 base score is 5.0 (medium), reflecting the limited impact on integrity and availability but notable confidentiality concerns. No patches or known exploits are currently reported, but organizations should act promptly to audit and restrict these permissions to mitigate risk.

For European organizations, this vulnerability poses a risk of unauthorized information disclosure within Kubernetes clusters running Red Hat OpenShift AI 3.0. Attackers or malicious insiders with any authenticated access can enumerate pods and persistent volume claims across all namespaces, potentially revealing sensitive application deployment details, workload configurations, and storage usage. This information can be leveraged to identify high-value targets, understand cluster topology, and plan further attacks such as privilege escalation or data exfiltration. Although the vulnerability does not directly allow modification or disruption of services, the confidentiality breach can undermine compliance with data protection regulations like GDPR if sensitive data or workloads are exposed. Organizations relying on AI workloads and container orchestration in regulated industries (finance, healthcare, government) may face increased risk of reputational damage and regulatory scrutiny. The vulnerability also increases the attack surface for supply chain or lateral movement attacks within multi-tenant or shared clusters common in European cloud environments.

European organizations should immediately audit the roles and cluster role bindings in their OpenShift AI 3.0 clusters, focusing on the 'trustyai-service-operator-lmeval-user-role' and its associated cluster role binding. Specifically, they should: 1) Remove or restrict the binding of this role to the broad 'system:authenticated' group, limiting it only to necessary service accounts or users with explicit need. 2) Implement Role-Based Access Control (RBAC) policies that enforce the principle of least privilege, ensuring users and service accounts have only the minimum permissions required. 3) Monitor and log access to pod and persistent volume claim resources to detect unusual enumeration or access patterns. 4) If possible, isolate AI workloads in dedicated namespaces with stricter access controls to reduce exposure. 5) Stay updated with Red Hat advisories for patches or configuration guidance addressing this vulnerability. 6) Conduct regular security reviews and penetration testing to validate that privilege assignments do not expose sensitive cluster resources. 7) Educate cluster administrators about the risks of overly permissive RBAC bindings and best practices for Kubernetes security.