CVE-2025-12103 is a vulnerability identified in the TrustyAI component of Red Hat OpenShift AI (RHOAI). The issue arises from an incorrect privilege assignment where a role named `trustyai-service-operator-lmeval-user-role` and a cluster role binding `trustyai-service-operator-default-lmeval-user-rolebinding` are created and bound to the `system:authenticated` group. This group includes every authenticated user and service account on the cluster, effectively granting them permissions to get, list, and watch any pod in any namespace. Furthermore, the vulnerability extends access to all persistent volume claims (PVCs) and lmevaljobs, which are custom resources related to AI model evaluation jobs. This misconfiguration results in an information disclosure vulnerability, allowing unauthorized users to enumerate pods and PVCs cluster-wide. While it does not permit modification or deletion of resources, the exposure of resource metadata and state can facilitate reconnaissance and subsequent attacks. The vulnerability has a CVSS 3.1 base score of 5.0 (medium severity), with an attack vector of network, low attack complexity, requiring privileges (authenticated users), no user interaction, and a scope change since it affects cluster-wide resources. No patches or exploits are currently reported, but the flaw is publicly disclosed and should be addressed promptly to prevent misuse.

For European organizations leveraging Red Hat OpenShift AI, this vulnerability can lead to unauthorized information disclosure about cluster workloads and storage resources. Attackers or malicious insiders with any authenticated access can enumerate pods and persistent volume claims across all namespaces, potentially revealing sensitive application details, deployment patterns, or data storage configurations. This information can be leveraged to identify high-value targets, plan lateral movement, or exploit other vulnerabilities. Although the vulnerability does not allow direct modification or disruption of resources, the confidentiality impact is significant in environments handling sensitive AI workloads or regulated data. The exposure of lmevaljobs could reveal proprietary AI model evaluation processes. Organizations in sectors such as finance, healthcare, and critical infrastructure, which often deploy AI workloads on OpenShift, may face increased risk. The medium severity rating reflects the balance between ease of exploitation (authenticated access required) and the impact limited to information disclosure without integrity or availability compromise.

To mitigate CVE-2025-12103, organizations should first audit the cluster role bindings and roles created by the TrustyAI component, specifically the `trustyai-service-operator-lmeval-user-role` and `trustyai-service-operator-default-lmeval-user-rolebinding`. Immediate steps include removing or restricting the cluster role binding from the `system:authenticated` group to limit permissions only to necessary service accounts or users. Implement the principle of least privilege by creating dedicated roles for TrustyAI components with narrowly scoped permissions. Monitor and log access to pods, persistent volume claims, and lmevaljobs to detect unusual enumeration activity. If available, apply vendor patches or updates from Red Hat addressing this issue as soon as they are released. Additionally, enforce strong authentication and authorization controls on the OpenShift cluster, including network segmentation and RBAC policies that prevent broad access to sensitive resources. Regularly review and tighten cluster-wide permissions and consider using admission controllers or policy enforcement tools (e.g., Open Policy Agent) to prevent overly permissive role bindings. Finally, educate cluster administrators about the risks of granting broad permissions to authenticated users and service accounts.