CVE-2026-10843

Vulnerability

A flaw exists in the OpenShift Cloud Credential Operator (CCO) when using Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions, rather than being restricted to cluster-owned resources. This misconfiguration affects all versions of the affected component.

Exploitation

An attacker who compromises the operator credentials can leverage the account-wide scope granted to perform destructive actions outside the intended cluster boundaries. The vulnerability lies in the CCO's Mint-mode CredentialsRequest manifests which incorrectly grant broad IAM access.

Impact

Upon successful exploitation, an attacker can achieve cross-scope impact by performing destructive actions across the entire AWS account, not just on cluster-owned resources. This could lead to significant data loss, service disruption, or unauthorized modifications within the AWS environment.

Mitigation

This vulnerability is addressed in a fixed version of the OpenShift Cloud Credential Operator. Specific version details and release dates for the patch are available via the Red Hat advisory [1] and Bugzilla entry [2]. Users are advised to update to the patched version as soon as possible.