CVE-2025-12103 is a vulnerability identified in Red Hat OpenShift AI 3.0, specifically within the TrustyAI component. The issue stems from incorrect privilege assignment where TrustyAI creates a Kubernetes Role named 'trustyai-service-operator-lmeval-user-role' and a ClusterRoleBinding 'trustyai-service-operator-default-lmeval-user-rolebinding' that binds this role to the 'system:authenticated' group. This binding effectively grants every authenticated user and service account in the cluster permissions to perform get, list, and watch operations on pods across all namespaces. Additionally, users gain access to all persistent volume claims and lmevaljobs resources. This misconfiguration leads to excessive permissions being granted cluster-wide, violating the principle of least privilege. The vulnerability is classified with a CVSS 3.1 base score of 5.0 (medium severity), reflecting network attack vector, low attack complexity, required privileges (low), no user interaction, and a scope change with limited confidentiality impact. While no integrity or availability impacts are noted, the exposure of pod and storage resource information can facilitate further attacks such as reconnaissance, privilege escalation, or targeted exploitation. No public exploits have been reported yet, but the vulnerability is published and should be addressed promptly. The flaw affects all deployments of Red Hat OpenShift AI 3.0 using the TrustyAI component with default role bindings.

The primary impact of this vulnerability is unauthorized information disclosure within Kubernetes clusters running Red Hat OpenShift AI 3.0. By granting all authenticated users and service accounts permissions to view pods, persistent volume claims, and lmevaljobs across all namespaces, attackers or malicious insiders can gather detailed information about workloads, configurations, and storage resources. This reconnaissance capability can enable further attacks such as privilege escalation, targeted exploitation of vulnerable pods, or data exfiltration. Although the vulnerability does not directly affect data integrity or availability, the exposure of sensitive cluster resource metadata undermines confidentiality and cluster security posture. Organizations with multi-tenant clusters or those exposing authentication interfaces publicly are at higher risk. The scope of affected systems includes all clusters running the vulnerable version of Red Hat OpenShift AI 3.0 with the TrustyAI component installed. The vulnerability could also increase the attack surface for supply chain or insider threats by enabling broader visibility into cluster workloads.

To mitigate CVE-2025-12103, organizations should immediately audit the roles and cluster role bindings created by the TrustyAI component, specifically the 'trustyai-service-operator-lmeval-user-role' and 'trustyai-service-operator-default-lmeval-user-rolebinding'. Remove or restrict the binding from the 'system:authenticated' group to limit permissions only to necessary service accounts or users. Implement the principle of least privilege by creating narrowly scoped roles that grant only required permissions to specific service accounts. Additionally, monitor and log access to pod, persistent volume claim, and lmevaljob resources to detect anomalous activity. Apply any patches or updates released by Red Hat addressing this vulnerability as soon as they become available. Consider network segmentation and strong authentication mechanisms to reduce the risk of unauthorized access to the cluster. Finally, review cluster RBAC policies regularly to prevent similar privilege misconfigurations.