Red Hat has issued an advisory (RHSA-2026:2139) for multiple security vulnerabilities affecting the Red Hat Trusted Artifact Signer (RHTAS) Operator version 1.3.2. These vulnerabilities include command injection, race conditions, deadlocks, and path traversal issues, as indicated by associated CWEs (CWE-78, CWE-770, CWE-409, CWE-22). The affected product is used in conjunction with OpenShift Container Platform versions 4.16 to 4.20. The advisory references five CVEs in total but does not provide CVSS scores or detailed technical exploitation information. No patches or fixes are explicitly mentioned in the advisory content, nor are any known exploits reported. The product is a self-managed on-premise tool for signing and verifying software artifacts to maintain software supply chain security.

The vulnerabilities present in RHTAS 1.3.2 could potentially allow attackers to execute unauthorized commands, cause race conditions or deadlocks, and perform path traversal attacks, which may compromise the integrity and availability of the software supply chain signing process. However, no known exploits have been reported in the wild. The impact is considered high severity based on the nature of the vulnerabilities and their potential to affect critical supply chain security operations. Without confirmed patches, affected deployments may remain at risk until remediation is applied.

The vendor advisory does not explicitly state that a patch or fix is available for these vulnerabilities. Therefore, patch status is not yet confirmed — users should monitor the official Red Hat advisory (RHSA-2026:2139) and product documentation for updates on remediation. Since RHTAS is a self-managed on-premise deployment, organizations should consider limiting access to the operator, applying strict operational controls, and following Red Hat's product documentation for secure usage. No vendor-provided temporary fixes or mitigations are currently documented in the advisory.