CVE-2026-4645 is a vulnerability identified in the Red Hat Compliance Operator, specifically stemming from a flaw in the third-party component github.com/antchfx/xpath. The issue arises when the logicalQuery.Select function processes crafted Boolean XPath expressions that always evaluate to true, causing the function to enter an infinite loop. This infinite loop leads to sustained 100% CPU utilization, effectively rendering the affected system unresponsive and causing a denial of service (DoS). The vulnerability can be exploited remotely without any authentication or user interaction, increasing its risk profile. The Compliance Operator is a Kubernetes operator used to automate compliance scanning and reporting, often deployed in enterprise and cloud environments running Red Hat OpenShift or similar platforms. The vulnerability does not impact confidentiality or integrity but severely impacts availability. No patches or known exploits are currently reported, but the CVSS score of 7.5 (high) reflects the significant risk posed by this flaw. The vulnerability highlights the dangers of unvalidated input in XPath processing within critical compliance tooling.

The primary impact of CVE-2026-4645 is a denial of service condition caused by resource exhaustion (100% CPU utilization) on systems running the Red Hat Compliance Operator. This can disrupt compliance monitoring and reporting processes, potentially delaying detection of other security issues or regulatory non-compliance. In environments where the Compliance Operator is integrated into continuous compliance workflows, this disruption could cascade, affecting operational security and audit readiness. Since the vulnerability can be triggered remotely without authentication, attackers can exploit it to degrade service availability at scale. Organizations relying heavily on Red Hat OpenShift and associated compliance tooling may experience operational downtime or degraded performance. Although no data confidentiality or integrity loss is expected, the availability impact alone can have significant operational and reputational consequences, especially in regulated industries or critical infrastructure sectors.

To mitigate CVE-2026-4645, organizations should monitor Red Hat advisories closely and apply patches or updates to the Compliance Operator and the underlying github.com/antchfx/xpath component as soon as they become available. In the interim, restrict network access to the Compliance Operator API endpoints to trusted sources only, using network segmentation and firewall rules to limit exposure. Implement runtime monitoring and alerting for abnormal CPU usage patterns on nodes running the Compliance Operator to detect potential exploitation attempts early. Consider deploying rate limiting or input validation proxies to filter out suspicious or malformed XPath queries before they reach the operator. Additionally, review and harden Kubernetes role-based access controls (RBAC) to minimize who can submit XPath queries or interact with the Compliance Operator. Finally, conduct regular security assessments and penetration tests focusing on compliance tooling to identify and remediate similar logic or input validation flaws.