CVE-2026-7163

MEDIUM EPSS 5.4%

Published Apr 30, 20262mo ago · Modified Jun 17, 20261w ago

5.5 CVSS 3.1

Medium

Published Apr 30, 2026 2mo ago

Last Modified Jun 17, 2026 1w ago

Description

A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. The credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace. The affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected. This issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode. Successful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters.

CVSS Details

Base Score

5.5

Exploitability

1.8

Impact

3.6

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector Local

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality High

Integrity None

Availability None

Threat Intelligence

EPSS Exploit Probability

5.4% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-312

Affected Products 2

Vendor	Product	Version	Range
redhat	multicluster_engine_for_kubernetes	2.1	any
redhat	multicluster_engine_for_kubernetes	2.7	any

References 8

access.redhat.com https://access.redhat.com/errata/RHSA-2026:11511

Vendor Advisory
access.redhat.com https://access.redhat.com/errata/RHSA-2026:11512

Vendor Advisory
access.redhat.com https://access.redhat.com/errata/RHSA-2026:12116

Vendor Advisory
access.redhat.com https://access.redhat.com/errata/RHSA-2026:12337

Vendor Advisory
access.redhat.com https://access.redhat.com/errata/RHSA-2026:18584
access.redhat.com https://access.redhat.com/errata/RHSA-2026:18585
access.redhat.com https://access.redhat.com/security/cve/CVE-2026-7163

Vendor Advisory
bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=2463152

Issue Tracking

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.