SecuriTricks - CVE-2026-10840

Description

A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRole. When Kueue or cert-manager CRDs are present on the cluster, any authenticated user can disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or induce cert-manager to overwrite TLS Secrets including the default ingress controller certificate.

Product(s) Impacted

Vendor	Product	Versions
Redhat	Openshift Pipelines Operator Kueue Cert-manager	* * *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-732

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	redhat	openshift_pipelines_operator	/	/	/	/	/	/	/	/
a	redhat	kueue	/	/	/	/	/	/	/	/
a	redhat	cert-manager	/	/	/	/	/	/	/	/

References

https://access.redhat.com/security/cve/CVE-2026-10840

https://bugzilla.redhat.com/show_bug.cgi?id=2484720

CVSS Score

9.6 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: LOW
Scope: CHANGED
Confidentiality Impact: NONE
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

View Vector String

Timeline

Published: June 4, 2026, 12:16 p.m.
Last Modified: June 4, 2026, 3:35 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-10840