MEDIUM 5.0

CVE-2026-10533: OpenShift ResourceQuota Bypass Leads to API Server DoS

A vulnerability in OpenShift Container Platform allows non-privileged users to circumvent resource quota enforcement by creating pods with a never-restart policy. These pods and their associated Kubernetes events are not counted against quota limits, enabling an attacker to flood the cluster's event database (etcd) with activity. The resulting accumulation degrades API server performance across the entire cluster, affecting all users and workloads.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.0 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
Weaknesses (CWE)
CWE-770
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A flaw was found in OpenShift Container Platform. Completed pods with restartPolicy: Never do not count toward ResourceQuota pod limits, and Kubernetes events are not quota-scoped. A non-privileged user who can create pods in a namespace can exploit this to generate a large volume of events that accumulate in etcd, causing API server performance degradation across the cluster.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10533 stems from two quota-enforcement gaps in OpenShift: (1) completed pods configured with restartPolicy: Never do not increment pod count quotas, and (2) Kubernetes events are not scope-restricted by ResourceQuota. A low-privileged user exploiting both gaps can programmatically generate large volumes of events that persist in etcd, consuming resources and slowing API server responses cluster-wide. The attack vector is network-accessible and requires only namespace-level pod creation permissions.

Business impact

Cluster-wide API server degradation directly impairs platform availability for all tenants. Slow or unresponsive API calls disrupt deployment pipelines, pod lifecycle management, and monitoring integrations. In multi-tenant or shared clusters, a single malicious or careless user can degrade service quality for all other teams. This may trigger SLA breaches and operational incidents that require manual intervention or cluster restart to resolve.

Affected systems

Red Hat OpenShift Container Platform is affected. The vulnerability applies to any namespace where a non-privileged user has pod creation permissions. Multi-tenant clusters and those without strict RBAC role separation are at highest risk, as quota evasion becomes a low-barrier attack surface.

Exploitability

Exploitability is straightforward. An attacker needs only basic Kubernetes API knowledge to create pods and trigger events; no special tooling or code execution inside containers is required. However, the attack requires at least namespace-level pod creation rights—public, unauthenticated clusters are not directly vulnerable. The impact is denial-of-service to the control plane rather than data breach or privilege escalation.

Remediation

Red Hat will issue patched versions of OpenShift Container Platform that correctly enforce ResourceQuota on both pod count (including completed pods with restartPolicy: Never) and event accumulation. Administrators should apply the patch as soon as it is released. Interim mitigations include strict RBAC policies limiting pod creation to trusted users, etcd monitoring for unusual event growth, and cluster resource reservations for the API server.

Patch guidance

Watch for Red Hat security advisories on CVE-2026-10533 that specify patched OpenShift Container Platform versions. Apply patches to control plane and all worker nodes according to Red Hat's maintenance windows. Verify the patch resolves quota enforcement for both pod and event resources before returning clusters to full production load. Test in a staging environment first to confirm no operational disruptions.

Detection guidance

Monitor etcd database size growth and API server latency metrics for anomalies. Log and alert on suspicious pod creation patterns from single users (especially pods with short lifespans and high event emission rates). Query the Kubernetes audit log for repeated pod create/delete cycles. Check ResourceQuota status in affected namespaces; if pod counts appear lower than expected event activity, quota evasion may be occurring. Consider enabling event rate limiting on the API server as a temporary control.

Why prioritize this

Although the CVSS score is MEDIUM (5.0), the vulnerability poses meaningful operational risk in shared or multi-tenant clusters. Denial-of-service to the control plane can have cascading effects across all workloads. Prioritization should be elevated if your cluster hosts multiple teams or business-critical services that cannot tolerate API degradation. Organizations with strict namespace isolation and strong RBAC controls have lower immediate urgency but should still patch during a standard maintenance window.

Risk score, explained

The CVSS 3.1 score of 5.0 (MEDIUM) reflects low attack complexity, low privilege requirements, and network accessibility, offset by lack of confidentiality or integrity impact—only availability is affected. The attack scope is changed (network-wide cluster impact from a single namespace action). This score appropriately captures a denial-of-service risk that is real but not as critical as privilege escalation or data exfiltration vulnerabilities.

Frequently asked questions

Can a pod creator in one namespace impact other namespaces?

Yes. The API server performance degradation from etcd overload affects the entire cluster, including all other namespaces. Resource quotas are namespace-scoped, but the event database and API server are cluster-global.

What if we have strict RBAC and limit pod creation to administrators?

Your risk is significantly lower. The vulnerability requires the ability to create pods, so restricting that permission to trusted administrators closes the attack surface. However, you should still apply the patch to prevent accidental misconfiguration or insider threats.

Does this vulnerability allow privilege escalation?

No. This is a denial-of-service vulnerability that degrades cluster performance. It does not grant elevated permissions or access to other users' data. An attacker cannot escape their namespace or elevate their role.

How long does an etcd-bloating attack take to impact the cluster?

This depends on the cluster's etcd capacity, API request rate, and the attacker's pod creation rate. In small or heavily-loaded clusters, noticeable degradation could occur within minutes to hours; in larger clusters it may take longer. Monitoring etcd size is essential for early detection.

This analysis is based on publicly available vulnerability data current as of the publication and modification dates provided. Actual patch availability and versions must be verified directly with Red Hat security advisories and official OpenShift release notes. Organizations should conduct testing in non-production environments before deploying patches. This content is for informational and educational purposes; it does not constitute legal or compliance advice. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor information. Always consult official vendor documentation for definitive guidance on affected versions, mitigations, and remediation timelines. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).