High severity8.7GHSA Advisory· Published Dec 15, 2025· Updated Apr 15, 2026

CVE-2025-11393

Description

A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster's main administrative credentials to any command it receives, instead of only the specific reports it is supposed to handle.

This allows a standard user within the cluster to send unauthorized commands to the management platform, effectively acting with the full permissions of the cluster administrator. This could lead to unauthorized changes to the cluster's configuration or status on the Red Hat platform.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/RedHatInsights/runtimes-inventory-operatorGo	<= 0.0.0-20251211184433-5123422abee1	—

Affected products

RedHatInsights/Runtimes Inventory OperatorGHSA
Range: <= 0.0.0-20251211184433-5123422abee1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-cc8c-28gj-px38ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-11393ghsaADVISORY
access.redhat.com/errata/RHSA-2025:23236nvdWEB
access.redhat.com/security/cve/CVE-2025-11393nvdWEB
bugzilla.redhat.com/show_bug.cginvdWEB

News mentions

No linked articles in our index yet.

cvss	0.565
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000