CVE-2026-7163

April 30, 2026, 10:16 p.m.

6.1
Medium

Description

A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. The credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace. The affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected. This issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode. Successful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters.

Product(s) Impacted

Vendor Product Versions
Redhat
  • Multicluster Engine
  • Advanced Cluster Management
  • *
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-312
Cleartext Storage of Sensitive Information
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a redhat multicluster_engine / / / / / / / /
a redhat advanced_cluster_management / / / / / / / /

References

https://access.redhat.com/errata/RHSA-2026:11511
https://access.redhat.com/errata/RHSA-2026:11512
https://access.redhat.com/errata/RHSA-2026:12116
https://access.redhat.com/errata/RHSA-2026:12337
https://access.redhat.com/security/cve/CVE-2026-7163
https://bugzilla.redhat.com/show_bug.cgi?id=2463152

Tags

[email protected]
CWE-312
2026-04-30
CVE-2026-7163

CVSS Score

6.1 / 10

CVSS Data - 3.1

  • Attack Vector: ADJACENT_NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

    View Vector String

Timeline

Published: April 30, 2026, 2:16 p.m.
Last Modified: April 30, 2026, 10:16 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.