CVE-2026-10101— Assisted-service: assisted-service: infraenv status leaks referenced pull-secret contents to namespace view users
Affected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Multicluster Engine for Kubernetes | any | unknown |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-10101
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Assisted-service: assisted-service: infraenv status leaks referenced pull-secret contents to namespace view users
Source: NVD (National Vulnerability Database)
Vulnerability Description
ACM/MCE assisted-service writes raw referenced pull-secret contents into `InfraEnv.status.conditions[].message` when pull-secret validation fails. A namespace principal with the stock `view` ClusterRole cannot directly read Secrets, but can read `InfraEnv` objects and recover the referenced Secret's `.dockerconfigjson` data from status. This bypasses the Kubernetes/OpenShift RBAC separation between read-only namespace viewers and Secret readers. In the reproduced proof, the same ServiceAccount was denied `get` and `list` on Secrets, but recovered synthetic pull-secret `username`, `password`, `email`, and base64 `auth` fields through `InfraEnv.status`.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过发送数据的信息暴露
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Red Hat | Multicluster Engine for Kubernetes | - | cpe:/a:redhat:multicluster_engine |
II. Public POCs for CVE-2026-10101
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-10101
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-10101 (1)
Other References for CVE-2026-10101 (1)
Same Patch Batch · Red Hat · 2026-05-29 · 6 CVEs total
| CVE-2026-42965 | 7.7 HIGH | Openshift/router: openshift/router: cloud metadata ssrf via fqdn-typed endpointslice bypas |
| CVE-2026-46579 | 7.4 HIGH | Openshift/router: openshift/router: mtls client certificate spoofing via unstripped x-ssl- |
| CVE-2026-6324 | 4.8 MEDIUM | Libsoup: libsoup: http request smuggling via unsigned to signed conversion error |
| CVE-2026-10052 | 4.1 MEDIUM | Quay/config-tool: quay/config-tool: ssrf via unfiltered ldap and smtp config validation en |
| CVE-2026-10078 | 2.7 LOW | Quay/config-tool: quay/config-tool: gitlab oauth client_secret exposed in url querystring |
IV. Related Vulnerabilities
Same vendor: Red Hat
- CVE-2026-5419
Guntls: gnutls: information disclosure via timing side-chann - CVE-2026-43958
Rrdtool: rrdtool: stack buffer overflow allows local code ex - CVE-2026-10118
Poppler: integer overflow in poppler splashoutputdev::tiling - CVE-2026-10533
Openshift: openshift: non-admin user can bypass resourcequot - CVE-2026-10517
Clair: clair: unauthenticated ssrf via manifest layer uri en
Same weakness: CWE-201
- CVE-2026-42673
WordPress Activity Logs, User Activity Tracking, Multisite A - CVE-2026-49370
JetBrains YouTrack<2026.1.13162 信息泄露漏洞 - CVE-2026-45582
n8n-MCP: Workflow telemetry sanitizer could retain partial v - CVE-2026-42746
WordPress Smart Online Order for Clover plugin <= 1.6.0 - Se - CVE-2026-48877
WordPress GenerateBlocks plugin <= 2.1.0 - Sensitive Data Ex
V. Comments for CVE-2026-10101
No comments yet