High severity7.4NVD Advisory· Published May 29, 2026· Updated Jun 8, 2026
CVE-2026-46579
CVE-2026-46579
Description
A flaw was found in the OpenShift Router. When a Route has insecureEdgeTerminationPolicy set to Allow, the HTTP frontend does not remove X-SSL-Client-* headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted X-SSL-Client-* headers. As a result, backends relying on these headers for mutual TLS (Transport Layer Security) authentication can be bypassed, enabling the attacker to impersonate client certificate identities.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_router:-:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:redhat:openshift_router:-:*:*:*:*:*:*:*
- (no CPE)
Patches
Vulnerability mechanics
References
2- access.redhat.com/security/cve/CVE-2026-46579nvdVendor Advisory
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor Advisory
News mentions
0No linked articles in our index yet.