CVE Catalog

CVE-2026-10609

MediumCVSS 6.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

14th percentile - higher than 14% of all known CVEs

Summary

A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials.

Risk Assessment

A delegated editor can exfiltrate ServiceAccount tokens and escalate privileges in the OpenShift cluster, leading to unauthorized access to resources.

Recommendation

Update the OpenShift Cluster Logging Operator to a version containing the fix for the missing authorization. Restrict access to creating ClusterLogForwarder to trusted users only.

Original NVD description (English source)

A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials, allowing a delegated editor to exfiltrate SA tokens and escalate privileges.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS