CVE-2026-10843: Execution with Unnecessary Privileges in Red Hat Red Hat OpenShift Container Platform 4
A flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions rather than being restricted to cluster-owned resources, enabling cross-scope impact after credential compromise.
AI Analysis
Technical Summary
This vulnerability involves excessive privilege assignment in the OpenShift Cloud Credential Operator's Mint-mode IAM policies for AWS within Red Hat OpenShift Container Platform 4. Specifically, operator credentials are provisioned with account-wide scope rather than being restricted to cluster-owned resources. This misconfiguration allows for cross-scope impact if the credentials are compromised, potentially enabling destructive actions beyond the intended resource boundaries. The CVSS 3.1 base score is 7.2, indicating high severity. The affected product is a cloud-hosted service, and Red Hat provides a patch to address this issue. No known active exploitation has been reported.
Potential Impact
If exploited, this vulnerability allows an attacker who compromises the operator credentials to perform destructive actions across the entire AWS account, not limited to cluster-owned resources. This broad scope can lead to significant confidentiality, integrity, and availability impacts on AWS resources managed under the compromised account. However, there are no known exploits in the wild currently.
Mitigation Recommendations
Red Hat manages remediation for this vulnerability as it affects a cloud-hosted service. A patch is available, and users should apply the official fix provided by Red Hat as detailed in their advisory at https://access.redhat.com/security/cve/CVE-2026-10843. Until patched, organizations should review and restrict IAM policies to limit credential scope where possible. Monitor Red Hat's advisory for updates and apply patches promptly.
CVE-2026-10843: Execution with Unnecessary Privileges in Red Hat Red Hat OpenShift Container Platform 4
Description
A flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions rather than being restricted to cluster-owned resources, enabling cross-scope impact after credential compromise.
CVSS v3.1
Score 7.2high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves excessive privilege assignment in the OpenShift Cloud Credential Operator's Mint-mode IAM policies for AWS within Red Hat OpenShift Container Platform 4. Specifically, operator credentials are provisioned with account-wide scope rather than being restricted to cluster-owned resources. This misconfiguration allows for cross-scope impact if the credentials are compromised, potentially enabling destructive actions beyond the intended resource boundaries. The CVSS 3.1 base score is 7.2, indicating high severity. The affected product is a cloud-hosted service, and Red Hat provides a patch to address this issue. No known active exploitation has been reported.
Potential Impact
If exploited, this vulnerability allows an attacker who compromises the operator credentials to perform destructive actions across the entire AWS account, not limited to cluster-owned resources. This broad scope can lead to significant confidentiality, integrity, and availability impacts on AWS resources managed under the compromised account. However, there are no known exploits in the wild currently.
Mitigation Recommendations
Red Hat manages remediation for this vulnerability as it affects a cloud-hosted service. A patch is available, and users should apply the official fix provided by Red Hat as detailed in their advisory at https://access.redhat.com/security/cve/CVE-2026-10843. Until patched, organizations should review and restrict IAM policies to limit credential scope where possible. Monitor Red Hat's advisory for updates and apply patches promptly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-06-04T11:52:56.953Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-10843","vendor":"Red Hat"}]
Threat ID: 6a216d2ee29bf47b509f3c37
Added to database: 6/4/2026, 12:18:54 PM
Last enriched: 6/4/2026, 12:33:43 PM
Last updated: 6/4/2026, 11:01:32 PM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.