CVE-2026-10843: OpenShift Cloud Credential Operator AWS IAM Over-Permissioning Vulnerability
OpenShift's Cloud Credential Operator, when running in Mint mode, assigns AWS credentials with excessive permissions. Instead of limiting destructive actions to resources owned by the cluster, the operator grants account-wide scope. If an attacker compromises these credentials, they can perform destructive actions across the entire AWS account, not just the cluster—making lateral movement and account-wide damage possible.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-250
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-30
NVD description (verbatim)
A flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions rather than being restricted to cluster-owned resources, enabling cross-scope impact after credential compromise.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10843 affects the OpenShift Cloud Credential Operator in Mint mode, which dynamically provisions temporary AWS IAM credentials for cluster operations. The vulnerability stems from overly permissive IAM policy configuration that grants destructive action permissions at account scope rather than restricting them to cluster-owned resources via resource-based conditions or explicit ARN whitelisting. An attacker who obtains operator credentials—through pod compromise, service account token exfiltration, or RBAC misconfiguration—gains the ability to execute destructive IAM actions (DeleteUser, DeleteRole, PutUserPolicy, etc.) against any AWS resource in the account, circumventing the intended blast radius limitation.
Business impact
Compromise of operator credentials exposes the entire AWS account to destructive actions by a single attacker. This can result in: deletion of production infrastructure, persistent access through privilege escalation (creating new users/roles), data exfiltration via policy manipulation, and business continuity loss. For organizations running multiple clusters in a shared AWS account, the blast radius extends across all clusters. Recovery requires account-wide credential rotation, IAM audit, and restoration of deleted resources.
Affected systems
OpenShift deployments using the Cloud Credential Operator in Mint mode to manage AWS credentials are affected. Mint mode is the dynamic credential provisioning approach; Static and Passthrough modes are not impacted by this specific IAM scope issue. Organizations should verify their credential operator configuration and AWS IAM policies associated with OpenShift service accounts.
Exploitability
Exploitation requires obtaining operator credentials, which is non-trivial but feasible. Common vectors include: lateral movement from a compromised workload pod, exfiltration of service account tokens via RBAC misconfiguration, or insider access to Kubernetes secrets. Once credentials are obtained, exploitation is straightforward—the overly permissive policies allow immediate account-wide destructive actions without additional exploitation steps. The CVSS 3.1 score of 7.2 (HIGH) reflects high privileges required to obtain the credentials but high impact once obtained.
Remediation
Restrict operator IAM policies to cluster-owned resources using resource-based conditions and explicit ARN constraints. AWS IAM policy should explicitly limit destructive actions to resources tagged with cluster identifiers or within VPCs/security groups dedicated to the cluster. Review and audit all operator service account IAM policies for overly broad permissions. Consider using AWS permissions boundaries to enforce maximum permission scope at the operator role level. Organizations should also harden pod security policies to reduce the attack surface for credential compromise.
Patch guidance
Monitor Red Hat OpenShift security advisories and apply updates to the Cloud Credential Operator when available. Patches will likely tighten IAM policy generation in Mint mode to enforce resource-level scoping. Until patches are available, implement compensating controls by manually auditing and restricting the IAM policies attached to operator service accounts via CloudFormation or Terraform. Verify policy changes in a non-production environment before applying to production clusters.
Detection guidance
Monitor CloudTrail logs for destructive IAM actions (DeleteUser, DeleteRole, AttachUserPolicy, etc.) originating from OpenShift operator service account credentials or assumed roles. Alert on unusual IAM modifications that correlate with operator credential access patterns. Implement AWS Config rules to detect overly permissive IAM policies attached to service roles. In Kubernetes, monitor for suspicious service account token access or exfiltration attempts using RBAC audit logs and network policies. Scan operator pod logs for credential usage anomalies.
Why prioritize this
While the CVSS score is 7.2 (HIGH) and KEV status is not active, this vulnerability warrants rapid remediation due to its account-wide blast radius and the prevalence of shared AWS accounts in enterprise OpenShift environments. A single credential compromise can affect multiple clusters and teams. Organizations running OpenShift in Mint mode on AWS should prioritize policy review and patching immediately after updates are released.
Risk score, explained
CVSS 3.1 score of 7.2 reflects: Network-accessible operator (AV:N), low attack complexity once credentials are obtained (AC:L), high privileges required to initially compromise credentials (PR:H), account-wide destructive impact (C:H, I:H, A:H), and unchanged scope from the cluster context (S:U). The score appropriately weighs the difficulty of obtaining credentials against the catastrophic impact if they are compromised. Contextual risk is elevated for multi-tenant or multi-cluster AWS accounts.
Frequently asked questions
How do I determine if my OpenShift deployment uses Mint mode?
Check your OpenShift cluster's cloud-credentials configuration. Run 'oc get cloudcredential cluster -o yaml' and look for 'spec.credentialsMode: Mint'. If the field is absent or set to a different value (Passthrough, Static, Manual), Mint mode is not in use. Mint mode is the default on AWS for recent OpenShift versions.
What is the difference between Mint mode and other credential modes?
Mint mode dynamically creates temporary AWS credentials scoped to workloads; Static mode uses long-lived credentials; Passthrough mode relies on the host instance role; Manual mode allows custom credential management. Only Mint mode is affected by this vulnerability because it's the only mode that generates policies at provisioning time without proper resource-level scoping.
If my credentials are compromised, what immediate actions should I take?
Immediately rotate AWS credentials used by the operator, audit CloudTrail logs for unauthorized IAM actions, revoke any suspicious IAM policies or users created during the compromise window, restore deleted resources from backups, and review service account tokens in Kubernetes for exfiltration. Consider a full AWS IAM audit and enable AWS CloudTrail alerting for all future destructive actions.
Can I mitigate this without waiting for a patch?
Yes. Manually apply more restrictive IAM policies to operator service accounts using AWS IAM policy documents that explicitly allow only cluster-owned resources (via ARN or resource tags) and deny broad destructive actions. Use AWS permissions boundaries to enforce the maximum permission scope. This requires coordination between AWS administrators and OpenShift operators but significantly reduces blast radius while awaiting official patches.
This analysis is based on the CVE description and CVSS assessment as of the publication date. Affected product versions and specific patch availability were not provided in the source data; organizations should consult official Red Hat OpenShift security advisories for definitive guidance on affected versions and patches. This document does not constitute professional security advice; conduct your own risk assessment based on your infrastructure and threat model. No exploit code or proof-of-concept details are provided in this document. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-12694HIGHForcepoint VPN Client Local Privilege Escalation (CVSS 7.8 HIGH)
- CVE-2026-42061HIGHAcronis DeviceLock DLP Local Privilege Escalation (CVSS 7.3)
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction