CVE-2026-10609 | A missing authorization flaw was found in the OpenShift Clus… | CVSS 6.8 MEDIUM

Description

A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials, allowing a delegated editor to exfiltrate SA tokens and escalate privileges.

Metadata

CVE ID: CVE-2026-10609
State: PUBLISHED
Assigner: redhat
Reserved: 2026-06-02 11:48 UTC
Published: 2026-06-23 13:26 UTC
Last updated: 2026-06-23 13:58 UTC
Primary CWE: CWE-862
Missing Authorization
Vendor / Product: Red Hat / Logging Subsystem for Red Hat OpenShift
Sources: cve.org · NVD

Severity & Metrics

6.8 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Red Hat	Logging Subsystem for Red Hat OpenShift	—	—

Weakness (CWE)

CWE	Source	Description
CWE-862	cna	Missing Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.8	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

References (2)