CVE-2026-10840

Vulnerability

A flaw exists in the OpenShift Pipelines operator where the tekton-scheduler-rolebinding ClusterRoleBinding incorrectly grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRole. This vulnerability is present when Kueue or cert-manager CRDs are installed on the cluster.

Exploitation

An attacker who is authenticated to the cluster can leverage this vulnerability. By exploiting the overly permissive rolebinding, an attacker can directly interact with Kueue and cert-manager custom resources without requiring any special privileges beyond basic authentication.

Impact

Successful exploitation allows an authenticated user to disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or cause cert-manager to overwrite TLS Secrets. This includes the potential to overwrite the default ingress controller certificate, leading to service disruption and potential information disclosure.

Mitigation

Red Hat has addressed this issue in the OpenShift Pipelines operator. Specific fixed versions and release dates are detailed in the associated Red Hat advisory [1] and Bugzilla entry [2]. Users are advised to update to a patched version of the OpenShift Pipelines operator as soon as possible. No workarounds are described in the available references.