CVE-2026-10101
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk8th percentile - higher than 8% of all known CVEs
Summary
The ACM/MCE assisted-service component writes raw pull-secret data into `InfraEnv.status.conditions[].message` when pull-secret validation fails. This allows a namespace principal with the `view` ClusterRole to read sensitive authentication data from InfraEnv objects, bypassing RBAC restrictions on Secrets.
Risk Assessment
The organization is at risk of leaking authentication credentials (username, password, email, base64 auth) to image registries, potentially leading to unauthorized access to container registries and privilege escalation within the cluster.
Recommendation
Immediately update the assisted-service component to a version that does not expose raw pull-secret data in InfraEnv status. Until the update, restrict access to InfraEnv objects to trusted principals only.
Original NVD description (English source)
ACM/MCE assisted-service writes raw referenced pull-secret contents into `InfraEnv.status.conditions[].message` when pull-secret validation fails. A namespace principal with the stock `view` ClusterRole cannot directly read Secrets, but can read `InfraEnv` objects and recover the referenced Secret's `.dockerconfigjson` data from status. This bypasses the Kubernetes/OpenShift RBAC separation between read-only namespace viewers and Secret readers. In the reproduced proof, the same ServiceAccount was denied `get` and `list` on Secrets, but recovered synthetic pull-secret `username`, `password`, `email`, and base64 `auth` fields through `InfraEnv.status`.

