CVE-2026-10609
MediumCVSS 6.8Exploitation Probability (EPSS)
Low risk14th percentile - higher than 14% of all known CVEs
Summary
A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials.
Risk Assessment
A delegated editor can exfiltrate ServiceAccount tokens and escalate privileges in the OpenShift cluster, leading to unauthorized access to resources.
Recommendation
Update the OpenShift Cluster Logging Operator to a version containing the fix for the missing authorization. Restrict access to creating ClusterLogForwarder to trusted users only.
Original NVD description (English source)
A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials, allowing a delegated editor to exfiltrate SA tokens and escalate privileges.

