How is CVE-2026-10843 exploited?

Network reachability (required): The vulnerable component is exposed over the network, so an attacker must be able to reach the OpenShift API or CCO endpoint across a network path. Authentication (required): Exploitation requires an admin or otherwise privileged account; a low-privilege credential is not sufficient to trigger the affected IAM provisioning path. Victim interaction (not-required): No user interaction is needed; the attacker can act entirely without involving another user or operator. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental factors.

What is the impact of CVE-2026-10843?

An attacker who compromises a privileged credential gains access to IAM permissions scoped to the entire AWS account, not just cluster-owned resources. The attacker can read AWS resources across the account, including storage buckets, secrets, and other services that the cluster should not have visibility into. The attacker can modify or delete AWS infrastructure outside the cluster, such as altering IAM policies, removing storage objects, or reconfiguring networking resources account-wide. The attacker can trigger service disruptions that extend beyond the OpenShift cluster itself, affecting any AWS workload sharing the same account.

Back to search

HIGHCVE-2026-10843Published 2026-06-04Modified 2026-06-04CNA redhat

CVE-2026-10843: Cloud-credential-operator: cco mint-mode credentialsrequest manifests grant account-wide iam access beyond cluster scope on aws

A flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions rather than being restricted to cluster-owned resources, enabling cross-scope impact after credential compromise.

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 2

HarborGuard Analysis

Synopsis

A privilege-scope misconfiguration in the OpenShift Cloud Credential Operator (CCO) causes Mint-mode IAM credentials on AWS to be provisioned with account-wide permissions for destructive actions, rather than being scoped to cluster-owned resources. The flaw is reachable over the network by an admin-level user, meaning an attacker who compromises a privileged OpenShift credential can then use those over-provisioned IAM policies to affect the entire AWS account, not just the cluster. Successful exploitation enables an attacker to read, modify, or destroy AWS resources outside the cluster boundary. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-10843 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images derived from affected OpenShift components.

Available

Triage

HarborGuard scores this CVE at 7.2 HIGH (CVSS v3.1) and can weight findings against each customer org's compliance policy to surface it at the appropriate severity tier and route it to the correct team inbox within that organization.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Red Hat ships a fix, without requiring manual intervention from the customer.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable component is exposed over the network, so an attacker must be able to reach the OpenShift API or CCO endpoint across a network path.
AuthenticationRequired
Exploitation requires an admin or otherwise privileged account; a low-privilege credential is not sufficient to trigger the affected IAM provisioning path.
Victim interactionNot required
No user interaction is needed; the attacker can act entirely without involving another user or operator.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental factors.

Blast Radius

An attacker who compromises a privileged credential gains access to IAM permissions scoped to the entire AWS account, not just cluster-owned resources.
The attacker can read AWS resources across the account, including storage buckets, secrets, and other services that the cluster should not have visibility into.
The attacker can modify or delete AWS infrastructure outside the cluster, such as altering IAM policies, removing storage objects, or reconfiguring networking resources account-wide.
The attacker can trigger service disruptions that extend beyond the OpenShift cluster itself, affecting any AWS workload sharing the same account.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-10843, HarborGuard continuously monitors the Red Hat advisory on every ingest cycle and will automatically queue a patched-image rebuild the moment a fix version is released. In the meantime, recommended compensating controls for affected environments include applying AWS Service Control Policies or permission boundaries to restrict the IAM roles provisioned by CCO to only cluster-tagged resources, auditing existing CCO-provisioned IAM roles for account-wide destructive permissions and tightening them manually, and isolating the cluster's AWS account using AWS Organizations to limit blast radius if a credential is compromised. Customers who opt into auto-remediation will receive a rebuild, a regression-test run, and a PR opened against affected workloads as soon as the upstream patch is available.

See how HarborGuard automates this

Affected packages

Red Hat / Red Hat OpenShift Container Platform 4
Red Hat / Red Hat OpenShift Container Platform 4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified