CVE-2026-10101— Assisted-service: assisted-service: infraenv status leaks referenced pull-secret contents to namespace view users
Affected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Multicluster Engine for Kubernetes | any | unknown |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-10101
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Assisted-service: assisted-service: infraenv status leaks referenced pull-secret contents to namespace view users
Source: NVD (National Vulnerability Database)
Vulnerability Description
ACM/MCE assisted-service writes raw referenced pull-secret contents into `InfraEnv.status.conditions[].message` when pull-secret validation fails. A namespace principal with the stock `view` ClusterRole cannot directly read Secrets, but can read `InfraEnv` objects and recover the referenced Secret's `.dockerconfigjson` data from status. This bypasses the Kubernetes/OpenShift RBAC separation between read-only namespace viewers and Secret readers. In the reproduced proof, the same ServiceAccount was denied `get` and `list` on Secrets, but recovered synthetic pull-secret `username`, `password`, `email`, and base64 `auth` fields through `InfraEnv.status`.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过发送数据的信息暴露
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Red Hat | Multicluster Engine for Kubernetes | - | cpe:/a:redhat:multicluster_engine |
II. Public POCs for CVE-2026-10101
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-10101
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-10101 (1)
Other References for CVE-2026-10101 (1)
Same Patch Batch · Red Hat · 2026-05-29 · 6 CVEs total
| CVE-2026-42965 | 7.7 HIGH | Openshift/router: openshift/router: cloud metadata ssrf via fqdn-typed endpointslice bypas |
| CVE-2026-46579 | 7.4 HIGH | Openshift/router: openshift/router: mtls client certificate spoofing via unstripped x-ssl- |
| CVE-2026-6324 | 4.8 MEDIUM | Libsoup: libsoup: http request smuggling via unsigned to signed conversion error |
| CVE-2026-10052 | 4.1 MEDIUM | Quay/config-tool: quay/config-tool: ssrf via unfiltered ldap and smtp config validation en |
| CVE-2026-10078 | 2.7 LOW | Quay/config-tool: quay/config-tool: gitlab oauth client_secret exposed in url querystring |
IV. Related Vulnerabilities
Same vendor: Red Hat
- CVE-2026-42965
Openshift/router: openshift/router: cloud metadata ssrf via - CVE-2026-46579
Openshift/router: openshift/router: mtls client certificate - CVE-2026-10078
Quay/config-tool: quay/config-tool: gitlab oauth client_secr - CVE-2026-10052
Quay/config-tool: quay/config-tool: ssrf via unfiltered ldap - CVE-2026-6324
Libsoup: libsoup: http request smuggling via unsigned to sig
Same weakness: CWE-201
- CVE-2026-49370
JetBrains YouTrack<2026.1.13162 信息泄露漏洞 - CVE-2026-45582
n8n-MCP: Workflow telemetry sanitizer could retain partial v - CVE-2026-42746
WordPress Smart Online Order for Clover plugin <= 1.6.0 - Se - CVE-2026-48877
WordPress GenerateBlocks plugin <= 2.1.0 - Sensitive Data Ex - CVE-2026-41181
Traefik: Errors middleware forwards Authorization and Cookie
V. Comments for CVE-2026-10101
No comments yet