CVE-2026-10840

Published: Giu 04, 2026 Last Modified: Giu 04, 2026
ExploitDB:
Other exploit source:
Google Dorks:
CRITICAL 9,6
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: changed
Confidentiality: none
Integrity: high
Availability: high

Description

AI Translation Available

A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRole. When Kueue or cert-manager CRDs are present on the cluster, any authenticated user can disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or induce cert-manager to overwrite TLS Secrets including the default ingress controller certificate.

732

Incorrect Permission Assignment for Critical Resource

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Access Control Integrity Other
Potential Impacts:
Read Application Data Read Files Or Directories Gain Privileges Or Assume Identity Modify Application Data Other
Applicable Platforms
Technologies: Not Technology-Specific, Cloud Computing
Likelihood of Exploit: High
View CWE Details
https://access.redhat.com/security/cve/CVE-2026-10840
https://access.redhat.com/security/cve/CVE-2026-10840
https://bugzilla.redhat.com/show_bug.cgi?id=2484720
https://bugzilla.redhat.com/show_bug.cgi?id=2484720