CVE-2026-10101

Summary

ACM/MCE assisted-service writes raw referenced pull-secret contents into InfraEnv.status.conditions[].message when pull-secret validation fails. A namespace principal with the stock view ClusterRole cannot directly read Secrets, but can read InfraEnv objects and recover the referenced Secret's .dockerconfigjson data from status.

This bypasses the Kubernetes/OpenShift RBAC separation between read-only namespace viewers and Secret readers. In the reproduced proof, the same ServiceAccount was denied get and list on Secrets, but recovered synthetic pull-secret username, password, email, and base64 auth fields through InfraEnv.status.

Affected Software

VendorProductVersion RangeStatus

Weaknesses

  • CWE-201: Insertion of Sensitive Information Into Sent Data

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References