A privilege escalation vulnerability in the OpenShift Cloud Credential Operator (CCO), tracked as CVE-2026-10843, provisions AWS IAM policies with account-wide scope for destructive actions rather than restricting permissions to cluster-owned resources. This allows an attacker who compromises cloud credentials to impact resources beyond the OpenShift cluster.
What Is the Vulnerability?
CVE-2026-10843 is a vulnerability in the OpenShift Cloud Credential Operator’s Mint-mode IAM policy generation for AWS. The CCO provisions AWS IAM credentials with policies that grant account-wide permissions for destructive actions — such as deleting resources, modifying security groups, or terminating instances — rather than scoping those permissions to only the specific resources owned by the OpenShift cluster.
In a properly scoped cloud credential configuration, each OpenShift cluster’s credentials should only be able to affect resources that belong to that cluster — its own EC2 instances, its own S3 buckets, its own IAM roles. The overly permissive policies generated by CVE-2026-10843 mean that if an attacker compromises an OpenShift cluster’s AWS credentials — through a pod escape, a compromised service account, or an exposed secret — they can use those credentials to impact resources across the entire AWS account, not just the cluster’s own resources. This transforms a single-cluster compromise into a potential account-wide incident.
- CVSS v3.1 Score: 7.2 (High)
- CWE: CWE-250 (Execution with Unnecessary Privileges)
Which Versions Are Affected?
OpenShift clusters deployed on AWS using the Cloud Credential Operator in Mint mode. Specific affected versions are detailed in the Red Hat advisory.
What Is the Fix?
Red Hat has released updated CCO configurations that scope IAM policies to cluster-owned resources. Update the Cloud Credential Operator and regenerate IAM policies for affected clusters. The fix restricts policy permissions to specific resource ARNs rather than account-wide wildcards.
Recommendations
Audit AWS IAM policies for OpenShift clusters. Review the IAM policies attached to OpenShift service account roles. Look for policies that use "Resource": "*" for destructive actions (ec2:TerminateInstances, s3:DeleteBucket, iam:DeleteRole, etc.). Replace account-wide wildcards with cluster-specific resource ARNs.
Apply the principle of least privilege to cloud credentials. Each OpenShift cluster should have credentials scoped to only the resources it owns. Use resource tagging and ARN-based conditions in IAM policies to enforce this boundary.
References
This advisory was first covered in the broader Vulnerability Intelligence Report — June 5, 2026.
