CVE-2026-9165

Summary

A flaw was found in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central, resulting in a denial of service for the management plane.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat Advanced Cluster Security for Kubernetes 4.111783352589 < *unaffected
Red HatRed Hat Advanced Cluster Security for Kubernetes 4.91783357116 < *unaffected

Weaknesses

  • CWE-400: Uncontrolled Resource Consumption

Workarounds

There is no complete mitigation other than installing the update once available.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References