HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-1784Published Modified CNA redhat

CVE-2026-1784: Ose-cluster-ingress-operator: remote code execution through haproxy configuration injection

The Route OpenShift resource allows to define routes to make pods reachable at a subdomain through HAProxy. It was found that the checks performed on the spec.path YAML stanza in a Route document was insufficient and could allow a controlled injection of the HAProxy configuration.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a configuration injection vulnerability in the HAProxy component of Red Hat OpenShift Container Platform 4, specifically triggered through the spec.path field of an OpenShift Route resource. An attacker with a low-privilege account on the cluster can craft a malicious Route document that injects arbitrary directives into the HAProxy configuration, without any network-level exposure or victim interaction required. Successful exploitation gives the attacker full control over the affected container's filesystem, running processes, and network activity, effectively achieving remote code execution within the HAProxy context with cross-container scope. No upstream fix has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built OpenShift operator images derived from ose-cluster-ingress-operator. Coverage extends to images already in registries and those entering CI/CD pipelines mid-build.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 8.8 HIGH and weighting it against each environment's compliance policy to determine urgency. Triage results are routed to the team inbox configured for the affected workload within each customer organization.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the Red Hat advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix lands. In the interim, compensating controls such as network-policy isolation and RBAC restrictions on Route creation are surfaced in the finding detail for customer review.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; the vulnerability is exploited locally via the Kubernetes API, not over an inbound network connection.

  • AuthenticationRequired

    Any low-privilege cluster account with permission to create or modify Route resources is sufficient to trigger the injection.

  • Victim interactionNot required

    No user action or social engineering is needed; submitting the malicious Route document is the entire attack.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions or special memory layout are required to inject the HAProxy configuration.

Blast Radius

  • Reads secrets and environment variables accessible to the HAProxy process, including TLS certificates and session data for all routed traffic.
  • Modifies the running HAProxy configuration, allowing the attacker to redirect or intercept traffic for any subdomain handled by the ingress operator.
  • Crashes or restarts the ingress operator process, dropping routing for all services exposed through OpenShift Routes in the affected cluster.
  • Because the CVSS scope is Changed, the impact extends beyond the HAProxy container boundary to other pods and resources sharing the node.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked against all images derived from or containing ose-cluster-ingress-operator components. Because Red Hat has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle and will trigger an automatic patched-image rebuild the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads without manual intervention. While no upstream patch exists, the finding detail surfaces actionable compensating controls: tightening RBAC to restrict Route creation to trusted service accounts, applying Kubernetes network policies to isolate the ingress operator namespace, and enabling audit logging on Route resource mutations to detect exploitation attempts. Customers can also gate Route admission through a validating admission webhook that rejects spec.path values containing characters outside a strict allowlist, reducing the injection surface until a vendor patch is available.

See how HarborGuard automates this
Affected packages
  • Red Hat / Red Hat OpenShift Container Platform 4
  • Red Hat / Red Hat OpenShift Container Platform 4
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References