How is CVE-2026-46579 exploited?

Network reachability (required): The attacker must be able to send HTTP requests to the router's HTTP frontend over the network. Authentication (not-required): No credentials are needed; any unauthenticated client that can reach the HTTP listener can inject the spoofed headers. Victim interaction (not-required): Exploitation is a direct request to the router and does not depend on any user action. Attack complexity (info): AC:H indicates exploitation depends on environmental conditions, specifically a Route configured with insecureEdgeTerminationPolicy: Allow and a backend that trusts X-SSL-Client-* headers for mTLS identity.

What is the impact of CVE-2026-46579?

Impersonates arbitrary client certificate identities to backends that consume X-SSL-Client-* headers, bypassing mutual TLS authentication entirely. Reads sensitive data exposed to the impersonated identity, including records and APIs gated on client-cert identity. Modifies state on those backends under the spoofed identity, including writes, configuration changes, or privileged actions tied to the forged certificate subject.

Back to search

HIGHCVE-2026-46579Published 2026-05-29Modified 2026-05-29CNA redhat

CVE-2026-46579: Openshift/router: openshift/router: mtls client certificate spoofing via unstripped x-ssl-client headers on http frontend

A flaw was found in the OpenShift Router. When a Route has `insecureEdgeTerminationPolicy` set to Allow, the HTTP frontend does not remove `X-SSL-Client-*` headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted `X-SSL-Client-*` headers. As a result, backends relying on these headers for mutual TLS (Transport Layer Security) authentication can be bypassed, enabling the attacker to impersonate client certificate identities.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An mTLS client certificate spoofing flaw in the OpenShift Router lets attackers forge identity headers on the HTTP frontend. When a Route uses insecureEdgeTerminationPolicy: Allow, the router fails to strip X-SSL-Client-* headers from incoming plain HTTP requests, so any unauthenticated attacker on the network can inject crafted headers and impersonate a client certificate identity to backends that trust those headers for mutual TLS. Successful exploitation reads and modifies data behind those backends by assuming arbitrary client identities. No upstream fix is published yet; HarborGuard tracks the advisory and will surface a patched rebuild the moment one ships.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is pulled from upstream feeds within minutes of publication and matched against OpenShift Router images in customer registries and build pipelines, including custom-built variants. Coverage extends to images that vendor or fork the router binary rather than pulling the Red Hat tag directly.

Available

Triage

Triage is available with the CVSS 3.1 base score of 7.4 (High) applied and re-weighted by each customer's compliance policy, so environments that treat identity-spoofing or mTLS-bypass classes as elevated can promote it further. Findings route to the right inbox inside each customer org based on image ownership and workload tags.

Available

Patch

No upstream fix is published. HarborGuard re-checks the Red Hat advisory each ingest cycle, and a patched-image rebuild becomes available the moment a fixed router version ships; customers with auto-remediation enabled then receive the rebuild, a regression-test run, and a PR opened against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to send HTTP requests to the router's HTTP frontend over the network.
AuthenticationNot required
No credentials are needed; any unauthenticated client that can reach the HTTP listener can inject the spoofed headers.
Victim interactionNot required
Exploitation is a direct request to the router and does not depend on any user action.
Attack complexityDetail
AC:H indicates exploitation depends on environmental conditions, specifically a Route configured with insecureEdgeTerminationPolicy: Allow and a backend that trusts X-SSL-Client-* headers for mTLS identity.

Blast Radius

Impersonates arbitrary client certificate identities to backends that consume X-SSL-Client-* headers, bypassing mutual TLS authentication entirely.
Reads sensitive data exposed to the impersonated identity, including records and APIs gated on client-cert identity.
Modifies state on those backends under the spoofed identity, including writes, configuration changes, or privileged actions tied to the forged certificate subject.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Red Hat advisory for this CVE, with a patched-image rebuild surfaced automatically once an upstream fix lands and, for customers who opt into auto-remediation, a rebuild plus regression run plus PR opened against affected workloads. In the meantime, HarborGuard surfaces compensating-control guidance for affected environments: audit Routes for insecureEdgeTerminationPolicy: Allow and switch to Redirect or None where feasible, configure backends to ignore or explicitly reject X-SSL-Client-* headers arriving over the HTTP frontend, and apply network policies that restrict who can reach the router's plain HTTP listener until the upstream patch is published.

See how HarborGuard automates this

CVSS v3.1: 7.4
Severity: HIGH
Fixed in: —
Affected Products: 2

Affected packages

Red Hat / Red Hat OpenShift Container Platform 4
Red Hat / Red Hat OpenShift Container Platform 4

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References