The Red Hat Trusted Artifact Signer (RHTAS) Operator version 1.3.3 and related 1.3 releases for amd64 architectures are affected by multiple vulnerabilities tracked under CVE-2025-66471 and four additional CVEs from 2026. These vulnerabilities impact the cryptographic signing and verification processes used to secure software artifacts in OpenShift Container Platform environments (versions 4.16 to 4.21). The advisory groups these CVEs but does not disclose detailed technical exploit information or specific vulnerability types beyond referencing CWEs (CWE-409, CWE-295, CWE-347, CWE-248) which relate to concurrency issues, improper certificate validation, improper authentication, and improper access control respectively. The Red Hat advisory (RHSA-2026:5459) does not currently provide patches or fixes for these issues, nor does it report any active exploitation. The product is self-managed and on-premise, requiring users to monitor Red Hat advisories for future updates.

The vulnerabilities affect the integrity and security of the artifact signing and verification process within the Red Hat Trusted Artifact Signer Operator, potentially undermining software supply chain assurance. The exact impact is not detailed, but the referenced CWEs suggest risks including race conditions, certificate validation failures, authentication bypass, and access control weaknesses. No known exploits in the wild have been reported. The high severity rating indicates these issues could have significant security implications if exploited.

Currently, no patches or fixes are available for these vulnerabilities as per the Red Hat advisory RHSA-2026:5459. Users should monitor Red Hat's official security advisories and update the Red Hat Trusted Artifact Signer Operator promptly once a fix is released. Since this is a self-managed on-premise deployment, organizations should follow Red Hat's product documentation and best practices for secure deployment and operation of RHTAS. No vendor-provided mitigation or workaround is indicated at this time.