The vulnerability exists in the assisted-service REST API of the Multicluster Engine (MCE) for Kubernetes 2.10, specifically in the local authentication mode used by on-premises ACM/MCE hub deployments. Authenticated users with minimal namespace-scoped privileges can access the credentials download endpoints that return kubeadmin passwords and kubeconfig files for arbitrary clusters. This is possible because the local authenticator grants full administrative access to any request bearing a valid JWT, which is embedded in plaintext in URLs accessible to users with get rights on InfraEnv objects in their namespaces. Consequently, attackers can gain unrestricted root-level administrative access to any OpenShift cluster provisioned through the hub. The vulnerability does not impact the hosted SaaS offering (console.redhat.com). No patch or official remediation has been published yet.

Successful exploitation allows an attacker with minimal privileges to obtain kubeadmin passwords and kubeconfig files for any OpenShift cluster managed by the affected Multicluster Engine hub. This grants the attacker unrestricted root-level administrative access to those clusters, potentially compromising cluster integrity and security. The vulnerability affects on-premises deployments using the local authentication mode and does not impact the hosted SaaS service. There are no known exploits in the wild as of the advisory date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The Red Hat advisories linked do not indicate any available fixes or patches for this vulnerability at this time. Users should monitor Red Hat's official security advisories for updates. Since the vulnerability arises from the local authentication mode and exposure of JWT tokens in URLs, consider restricting access to InfraEnv objects and reviewing authentication configurations as interim risk reduction measures until an official fix is released.