CVE-2026-46579: Improper Authentication in Red Hat Red Hat OpenShift Container Platform 4
A flaw was found in the OpenShift Router. When a Route has `insecureEdgeTerminationPolicy` set to Allow, the HTTP frontend does not remove `X-SSL-Client-*` headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted `X-SSL-Client-*` headers. As a result, backends relying on these headers for mutual TLS (Transport Layer Security) authentication can be bypassed, enabling the attacker to impersonate client certificate identities.
AI Analysis
Technical Summary
The vulnerability exists in the OpenShift Router component of Red Hat OpenShift Container Platform 4. Specifically, if a Route has the insecureEdgeTerminationPolicy set to Allow, the router does not strip X-SSL-Client-* headers from HTTP requests. Attackers can exploit this by sending plain HTTP requests with forged X-SSL-Client-* headers, which backend services rely on for mutual TLS authentication. This allows attackers to bypass client certificate authentication and impersonate legitimate clients. The issue is documented under CVE-2026-46579 with a CVSS 3.1 score of 7.4 (high severity).
Potential Impact
An unauthenticated attacker can bypass mutual TLS authentication mechanisms by injecting crafted X-SSL-Client-* headers in HTTP requests when the insecureEdgeTerminationPolicy is set to Allow. This can lead to unauthorized access to backend services that trust these headers for client identity verification, potentially compromising confidentiality and integrity of communications. Availability impact is not indicated.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-46579 for current remediation guidance. Until an official fix is available, consider avoiding the use of insecureEdgeTerminationPolicy set to Allow or implement additional controls to validate client identities beyond relying solely on X-SSL-Client-* headers.
CVE-2026-46579: Improper Authentication in Red Hat Red Hat OpenShift Container Platform 4
Description
A flaw was found in the OpenShift Router. When a Route has `insecureEdgeTerminationPolicy` set to Allow, the HTTP frontend does not remove `X-SSL-Client-*` headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted `X-SSL-Client-*` headers. As a result, backends relying on these headers for mutual TLS (Transport Layer Security) authentication can be bypassed, enabling the attacker to impersonate client certificate identities.
CVSS v3.1
Score 7.4high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability exists in the OpenShift Router component of Red Hat OpenShift Container Platform 4. Specifically, if a Route has the insecureEdgeTerminationPolicy set to Allow, the router does not strip X-SSL-Client-* headers from HTTP requests. Attackers can exploit this by sending plain HTTP requests with forged X-SSL-Client-* headers, which backend services rely on for mutual TLS authentication. This allows attackers to bypass client certificate authentication and impersonate legitimate clients. The issue is documented under CVE-2026-46579 with a CVSS 3.1 score of 7.4 (high severity).
Potential Impact
An unauthenticated attacker can bypass mutual TLS authentication mechanisms by injecting crafted X-SSL-Client-* headers in HTTP requests when the insecureEdgeTerminationPolicy is set to Allow. This can lead to unauthorized access to backend services that trust these headers for client identity verification, potentially compromising confidentiality and integrity of communications. Availability impact is not indicated.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-46579 for current remediation guidance. Until an official fix is available, consider avoiding the use of insecureEdgeTerminationPolicy set to Allow or implement additional controls to validate client identities beyond relying solely on X-SSL-Client-* headers.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-05-28T06:07:06.526Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-46579","vendor":"Red Hat"}]
Threat ID: 6a196b7ee29bf47b50da1b95
Added to database: 5/29/2026, 10:33:34 AM
Last enriched: 5/29/2026, 10:48:43 AM
Last updated: 5/29/2026, 7:58:16 PM
Views: 21
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.