CVE-2026-10843

Summary

A flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions rather than being restricted to cluster-owned resources, enabling cross-scope impact after credential compromise.

Affected Software

VendorProductVersion RangeStatus

Weaknesses

  • CWE-250: Execution with Unnecessary Privileges

Workarounds

Migrate from CCO Mint mode to STS mode (AWS Security Token Service), which eliminates long-lived IAM users and uses short-lived role-scoped OIDC tokens. Alternatively, switch to CCO Manual mode or Passthrough mode. If mode migration is not immediately feasible, manually restrict the IAM policies on CCO-provisioned IAM users by adding tag-based conditions scoping destructive actions to resources tagged with kubernetes.io/cluster/<infraName>=owned. For S3 actions, restrict Resource to the specific registry bucket ARN rather than "*". Enterprise defense-in-depth: deploy AWS Service Control Policies (SCPs) to deny destructive actions from non-approved principals, and apply IAM Permission Boundaries to CCO-created users.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

cloud-credential-operator: CCO Mint-mode CredentialsRequest manifests grant account-wide IAM access beyond cluster scope on AWS

Additional References

References