HIGH 7.4

CVE-2026-46579: OpenShift Router Header Spoofing Bypasses Mutual TLS Authentication

OpenShift Router has a header-spoofing vulnerability that breaks mutual TLS authentication when routes are configured to allow unencrypted HTTP traffic. An attacker can send plain HTTP requests with forged client certificate headers, tricking backend services into accepting them as though they came from legitimate authenticated clients. This bypasses the certificate-based trust model that many organizations rely on for service-to-service security.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.4 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Weaknesses (CWE)
CWE-287
Affected products
2 configuration(s)
Published / Modified
2026-05-29 / 2026-06-30

NVD description (verbatim)

A flaw was found in the OpenShift Router. When a Route has `insecureEdgeTerminationPolicy` set to Allow, the HTTP frontend does not remove `X-SSL-Client-*` headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted `X-SSL-Client-*` headers. As a result, backends relying on these headers for mutual TLS (Transport Layer Security) authentication can be bypassed, enabling the attacker to impersonate client certificate identities.

11 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from insufficient header sanitization in the OpenShift Router's HTTP frontend. When a Route object has `insecureEdgeTerminationPolicy` set to Allow, the router terminates TLS at the edge but forwards downstream traffic over plain HTTP without removing `X-SSL-Client-*` headers that indicate client certificate information. An attacker sending crafted HTTP requests can inject these headers directly, allowing backend systems that trust them for mutual TLS validation to accept unauthenticated connections as if they were authenticated clients. The attack vector is network-based, requires no credentials, but depends on the specific Route configuration and backend reliance on these headers (CWE-287: Improper Authentication).

Business impact

Organizations using OpenShift Router with unencrypted termination policies may have their service-to-service authentication completely undermined. If microservices rely on X-SSL-Client-* headers to verify client identity and enforce authorization, attackers can bypass those controls and gain unauthorized access to sensitive backend services. This is particularly damaging in zero-trust or mutual TLS-enforced architectures, where certificate-based identity is meant to be the foundation of security. Lateral movement, data exfiltration, and privilege escalation within the cluster become possible without detection.

Affected systems

Red Hat OpenShift Container Platform and OpenShift Router are affected. The vulnerability only manifests on Routes explicitly configured with `insecureEdgeTerminationPolicy: Allow`, which permits HTTP termination. Organizations using the default secure termination policies (redirect or passthrough) are not affected. The severity of impact depends on whether backend applications in the cluster rely on X-SSL-Client-* headers for authentication decisions.

Exploitability

The attack is straightforward to execute: an attacker simply crafts an HTTP request with spoofed X-SSL-Client-* headers and sends it to the router. However, the CVSS score of 7.4 reflects a moderate attack complexity—exploitation requires that the Route be configured with the Allow policy and that downstream services actually trust these headers for authentication. No special privileges or user interaction are needed. The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog, but the low barrier to entry and high authentication bypass potential make it attractive once widely publicized.

Remediation

Immediately audit all OpenShift Routes to identify those with `insecureEdgeTerminationPolicy: Allow`. For each such Route, evaluate whether it is necessary or whether it can be changed to `Redirect` (which forces HTTPS) or `Passthrough` (which offloads TLS to the backend). Organizations that must use the Allow policy should ensure backend services do not rely on X-SSL-Client-* headers for authentication; instead, enforce mutual TLS end-to-end or use other header-resistant authentication mechanisms. Red Hat will issue a patch for the OpenShift Router that sanitizes these headers—verify patch availability and version numbers in the Red Hat Security Advisory.

Patch guidance

Check Red Hat's security advisories for OpenShift Container Platform and Router updates that address this header-sanitization flaw. Apply patches to the Router component as soon as they are available. In the interim, mitigate by reconfiguring Routes away from the Allow policy where operationally feasible, or by implementing network policies and service mesh controls (such as Istio) to enforce mutual TLS authentication independently of HTTP headers. Test patches in a non-production environment first to ensure they do not break existing Routes or downstream integrations.

Detection guidance

Monitor HTTP traffic reaching the OpenShift Router for requests containing X-SSL-Client-* headers originating from untrusted external sources. Log and alert on any such requests, particularly those attempting to impersonate high-privilege client certificates or accessing restricted backend services. Enable audit logging for Route configuration changes, especially any modification to `insecureEdgeTerminationPolicy`. Check backend application logs for authentication decisions that rely solely on these headers; cross-reference with actual client certificate validation at the TLS layer to identify mismatches that may indicate header spoofing.

Why prioritize this

This vulnerability warrants urgent attention because it breaks authentication assumptions in containerized and Kubernetes-native environments. Many organizations implement zero-trust architectures with mutual TLS specifically to avoid relying on network perimeter security; this flaw undermines that model. The attack is trivial to execute once a vulnerable Route is identified, and the impact—complete authentication bypass—is severe. Organizations using OpenShift in security-critical environments should prioritize patching. However, the requirement for a specific Route configuration (Allow policy) and downstream reliance on headers means not all deployments are equally exposed; prioritize based on your Route inventory and whether any rely on X-SSL-Client-* for authentication.

Risk score, explained

The CVSS 3.1 score of 7.4 (HIGH) reflects a network-accessible attack with high confidentiality and integrity impact (unauthenticated access to backends, impersonation of clients) but no availability impact. The moderate attack complexity accounts for the need to identify and target Routes with the Allow policy and services that trust the spoofed headers. This score appropriately captures the severity for vulnerable deployments while acknowledging that some configurations mitigate the risk.

Frequently asked questions

Does this affect all OpenShift deployments?

No. Only Routes with `insecureEdgeTerminationPolicy: Allow` are vulnerable, and only if backend services rely on X-SSL-Client-* headers for authentication. Routes using Redirect or Passthrough policies are unaffected. Audit your Route inventory to determine your exposure.

Can I use a service mesh to protect against this?

Yes. Tools like Istio enforce mutual TLS at the application layer, independent of HTTP headers. If you implement Istio or similar service mesh with strict mTLS enforcement, you add defense-in-depth against header spoofing. However, this does not replace patching the router itself.

What if I need to allow insecure HTTP for legacy applications?

If Allow policy is necessary for legacy apps, ensure those backends do NOT use X-SSL-Client-* headers for authentication. Instead, implement mutual TLS termination at the backend (sidecar proxy or embedded in the app) or use opaque token-based authentication. Also restrict network access to the affected Route using Kubernetes NetworkPolicy or equivalent firewalling.

Will this be exploited in the wild before patches are available?

The vulnerability is not yet in CISA's KEV catalog, suggesting active exploitation has not been widespread or confirmed. However, the simplicity of exploitation means organizations should not delay patching. Apply patches as soon as Red Hat releases them, especially in internet-facing clusters.

This analysis is based on the CVE description and CVSS vector as of the publication date. Patch version numbers and specific remediation steps should be verified against the official Red Hat Security Advisory. Exploitability and impact vary based on Route configuration and application architecture. Organizations should conduct their own risk assessment and testing before deploying patches in production. SEC.co makes no warranty regarding the completeness or accuracy of remediation guidance for specific deployments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).