HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-10840Published Modified CNA redhat

CVE-2026-10840: Openshift-pipelines-operator-rh: openshift-pipelines-operator: tekton-scheduler-rolebinding grants system:authenticated write access to kueue and cert-manager resources

A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRole. When Kueue or cert-manager CRDs are present on the cluster, any authenticated user can disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or induce cert-manager to overwrite TLS Secrets including the default ingress controller certificate.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
7

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a privilege escalation vulnerability in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding incorrectly grants write access to Kueue and cert-manager custom resources to every authenticated user on the cluster, reachable over the network with only a low-privilege account. Successful exploitation allows an attacker to disrupt workload scheduling, delete other tenants' Workload objects, or force cert-manager to overwrite TLS Secrets including the default ingress controller certificate. No fix versions have been published yet; HarborGuard is tracking the upstream advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-10840 is ingested from upstream feeds within minutes of publication and matched against customer images and pipeline artifacts, including custom-built OpenShift Pipelines operator images. Any image found to carry the affected operator is flagged immediately in the customer registry view.

Available
Triage

HarborGuard scores this CVE at CVSS 9.6 (Critical) and weights it against each environment's compliance policy to determine urgency tier and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the Red Hat advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. In the meantime, compensating controls such as network-policy isolation for the affected ClusterRoleBinding subjects and egress filtering on Kueue and cert-manager API endpoints are surfaced in the advisory detail for each environment.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable API server endpoint is exposed over the network; an attacker must be able to reach the Kubernetes API server to send crafted requests.

  • AuthenticationRequired

    Any low-privilege authenticated account is sufficient; the misconfigured ClusterRoleBinding applies to the entire system:authenticated group, so no elevated credentials are needed beyond a basic cluster login.

  • Victim interactionNot required

    No victim action is needed; the attacker sends API requests directly without requiring any other user to click, approve, or otherwise interact.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is straightforward and requires no race conditions, special memory layout, or environmental prerequisites beyond cluster access.

Blast Radius

  • Attacker deletes or modifies other tenants' Kueue Workload objects, disrupting job scheduling across the cluster.
  • Attacker tampers with scheduling priorities, causing workloads to be starved or incorrectly prioritized.
  • Attacker forces cert-manager to overwrite TLS Secrets, including the default ingress controller certificate, breaking HTTPS for cluster-wide ingress.
  • Cluster availability is degraded as scheduling and certificate infrastructure are manipulated or destroyed.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-10840, HarborGuard continuously re-checks the Red Hat advisory on each ingest cycle and will surface a patched-image rebuild the moment Red Hat ships a fix. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point. While awaiting a fix, HarborGuard surfaces the following compensating controls in the advisory detail for each affected environment: restricting network policy to limit which principals can reach the Kubernetes API server for Kueue and cert-manager resource paths; auditing existing ClusterRoleBindings to identify and manually tighten the tekton-scheduler-rolebinding scope; and enabling API server audit logging on the affected resource groups to detect unauthorized write activity. For environments where compliance policy permits, a manual override of the ClusterRoleBinding can be flagged and tracked as a policy exception inside HarborGuard until the official patch is available.

See how HarborGuard automates this
Affected packages
  • Red Hat / Builds for Red Hat OpenShift
  • Red Hat / OpenShift Pipelines
  • Red Hat / OpenShift Pipelines
  • Red Hat / OpenShift Pipelines
  • Red Hat / OpenShift Pipelines
  • Red Hat / OpenShift Pipelines
  • Red Hat / OpenShift Pipelines
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
References