Red Hat Product Security issued an important security advisory (RHSA-2026:2951) for OpenShift API for Data Protection (OADP), which enables backup and restore operations for application resources and persistent volumes. The advisory addresses three CVEs (CVE-2025-47907, CVE-2025-52881, CVE-2025-61729) affecting OADP versions including 1.4 and related container images. The vulnerabilities involve concurrency issues (CWE-362), path traversal (CWE-59), and another CWE-1050, potentially impacting backup and restore functionality. The vendor has released updated OADP images and recommends applying these updates after installing all previously released errata. No exploits are currently known in the wild. The advisory includes detailed references and updated container image digests for multiple architectures.

The vulnerabilities affect the integrity and security of backup and restore operations in Red Hat OpenShift API for Data Protection. Exploitation could potentially lead to unauthorized access or manipulation of backup data or disruption of backup processes. However, no known exploits have been reported in the wild. The impact is significant enough for Red Hat to assign a high severity rating and issue updated software versions to remediate the issues.

Red Hat has released updated versions of OpenShift API for Data Protection that address these vulnerabilities. Users should apply the new OADP version as detailed in advisory RHSA-2026:2951. Prior to updating, ensure all previously released relevant errata for your system are applied. Follow Red Hat's official guidance and use the updated container images provided in the advisory. No additional mitigation steps are indicated by the vendor beyond applying the official fix.