How is CVE-2026-42965 exploited?

Network reachability (required): The attacker must reach the OpenShift Router over the network to trigger the proxied request. Authentication (required): A low-privilege account with EndpointSlice write access in the cluster is required to plant the malicious FQDN-backed Service. Victim interaction (not-required): No user action is needed; the router proxies the crafted request on its own. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable once the EndpointSlice is in place and does not depend on race conditions or memory layout.

What is the impact of CVE-2026-42965?

Reads cloud instance metadata served by the provider's metadata endpoint, including temporary IAM credentials bound to the node. Discloses other sensitive metadata such as user-data, instance identity documents, and cloud configuration that can seed further attacks against the cloud account. No direct integrity or availability impact on the router itself, but stolen credentials can be reused outside the cluster to pivot into the underlying cloud environment.

Back to search

HIGHCVE-2026-42965Published 2026-05-29Modified 2026-05-30CNA redhat

CVE-2026-42965: Openshift/router: openshift/router: cloud metadata ssrf via fqdn-typed endpointslice bypasses destination validation

A flaw was found in the OpenShift Router. A user with EndpointSlice write access can exploit this vulnerability by creating a Service backed by an FQDN (Fully Qualified Domain Name) EndpointSlice that resolves to a cloud metadata endpoint. This allows the router to proxy requests to the cloud metadata endpoint, leading to the disclosure of instance credentials and other sensitive metadata. This bypasses previous security measures for validating IP addresses.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A server-side request forgery (SSRF) flaw in the OpenShift Router lets a user with EndpointSlice write access create a Service backed by an FQDN-typed EndpointSlice that resolves to a cloud metadata endpoint. Because the router validated IP addresses but not FQDN-resolved destinations, requests get proxied to the cloud provider's metadata service over the network. Successful exploitation discloses instance credentials and other sensitive cloud metadata. HarborGuard tracks the Red Hat advisory and will make a patched rebuild available when an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the Red Hat advisory ingested within minutes of publication and matched against OpenShift Router images in customer registries and pipelines. Coverage extends to custom-built images derived from the affected OpenShift Container Platform 4 base layers.

Available

Triage

Triage is available with the upstream CVSS 3.1 score of 7.7 (High) applied, then weighted by each customer's compliance policy so SSRF-to-metadata exposure on cloud-hosted clusters can be escalated where appropriate. Findings route to the configured inbox inside each customer org based on workload ownership.

Available

Patch

No fix version has been published yet. HarborGuard re-checks the Red Hat advisory each ingest cycle and will make a patched-image rebuild available the moment an upstream fix lands; auto-remediation customers will then get the rebuild, a regression-test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the OpenShift Router over the network to trigger the proxied request.
AuthenticationRequired
A low-privilege account with EndpointSlice write access in the cluster is required to plant the malicious FQDN-backed Service.
Victim interactionNot required
No user action is needed; the router proxies the crafted request on its own.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable once the EndpointSlice is in place and does not depend on race conditions or memory layout.

Blast Radius

Reads cloud instance metadata served by the provider's metadata endpoint, including temporary IAM credentials bound to the node.
Discloses other sensitive metadata such as user-data, instance identity documents, and cloud configuration that can seed further attacks against the cloud account.
No direct integrity or availability impact on the router itself, but stolen credentials can be reused outside the cluster to pivot into the underlying cloud environment.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Red Hat advisory for CVE-2026-42965, with the patched OpenShift Router rebuild made available automatically once an upstream fix ships. In the meantime, compensating-control guidance is surfaced for affected environments, including restricting EndpointSlice write permissions via RBAC, blocking router egress to the cloud metadata IP (for example 169.254.169.254) at the network-policy or node-firewall layer, enforcing IMDSv2 or equivalent hop-limit protections on the cloud provider, and gating any FQDN-typed EndpointSlice usage behind admission policy. For customers who opt into auto-remediation, the rebuild-and-PR flow will run as soon as a fixed version is published, with high-severity issues typically reaching a merged patch PR within roughly 90 minutes of fix availability.

See how HarborGuard automates this

CVSS v3.1: 7.7
Severity: HIGH
Fixed in: —
Affected Products: 2

Affected packages

Red Hat / Red Hat OpenShift Container Platform 4
Red Hat / Red Hat OpenShift Container Platform 4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References