OpenShift Container Platform CVE-2026-7309 Incomplete Fix for Env Injection in Build System

Vulnerability Overview CVE ID: CVE-2026-7309 Description: An incomplete fix was discovered in the OpenShift Container Platform build system. The still accepts arbitrary environment variable names (including , , , , , ), which are propagated to the privileged container. Severity: Medium Impact Scope Affected Component: OpenShift Container Platform Affected Versions: Not specified Operating System: Linux Hardware: 48 Priority: Medium Severity: Medium Remediation Fix Status: Unfixed Fixed Version: Not specified Remediation Description: Users can inject environment variables into any within a namespace using the default . Environment variable name validation only uses a format regular expression and lacks a semantic deny list for dangerous names. Actual Impact: Limited to unsupported minimal role configurations. Tested Version: OCP 4.21.0 Note: The fix for has been applied, but environment variable injection into still exists. Code Block

Goal Reached Thanks to every supporter — we hit 100%!

OpenShift Container Platform CVE-2026-7309 Incomplete Fix for Env Injection in Build System