High severity8.2NVD Advisory· Published Apr 7, 2026· Updated Apr 28, 2026
CVE-2026-4740
CVE-2026-4740
Description
A flaw was found in Open Cluster Management (OCM), the technology underlying Red Hat Advanced Cluster Management (ACM). Improper validation of Kubernetes client certificate renewal allows a managed cluster administrator to forge a client certificate that can be approved by the OCM controller. This enables cross-cluster privilege escalation and may allow an attacker to gain control over other managed clusters, including the hub cluster.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
open-cluster-management.io/ocmGo | < 1.2.1 | 1.2.1 |
Affected products
2- cpe:2.3:a:redhat:advanced_cluster_management_for_kubernetes:-:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
7- blog.arfevrier.fr/open-cluster-management-cross-cluster-escape/nvdExploitThird Party Advisory
- access.redhat.com/security/cve/CVE-2026-4740nvdVendor AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor AdvisoryWEB
- github.com/advisories/GHSA-q4gv-pjmh-c735ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-4740ghsaADVISORY
- blog.arfevrier.fr/open-cluster-management-cross-cluster-escapeghsaWEB
- github.com/open-cluster-management-io/ocm/commit/9e70cc1e21a15239c81111062c0b37df4b5a8026ghsaWEB
News mentions
0No linked articles in our index yet.