CVE-2026-10840 Overview
A permissions flaw exists in the Red Hat OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources through the tekton-scheduler-role ClusterRole. Any authenticated cluster user can abuse these permissions when Kueue or cert-manager Custom Resource Definitions (CRDs) are deployed. Attackers can disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or force cert-manager to overwrite Transport Layer Security (TLS) Secrets, including the default ingress controller certificate. The weakness is categorized as Incorrect Permission Assignment for Critical Resource [CWE-732].
Critical Impact
Any authenticated OpenShift user can tamper with cross-tenant Kueue workloads and overwrite ingress TLS Secrets when the affected CRDs are present.
Affected Products
- Red Hat OpenShift Pipelines operator
- OpenShift clusters with Kueue CRDs deployed
- OpenShift clusters with cert-manager CRDs deployed
Discovery Timeline
- 2026-06-04 - CVE CVE-2026-10840 published to NVD
- 2026-06-04 - Last updated in NVD database
Technical Details for CVE-2026-10840
Vulnerability Analysis
The OpenShift Pipelines operator installs a tekton-scheduler-rolebinding ClusterRoleBinding that binds the tekton-scheduler-role ClusterRole to the system:authenticated group. This group includes every user who can authenticate to the API server. The bound ClusterRole grants write verbs on Kueue resources (workloads, clusterqueues, localqueues, workloadpriorityclasses) and cert-manager resources (certificates, certificaterequests, issuers). The result is a cluster-wide privilege escalation when either CRD set is installed.
Root Cause
The operator applies a least-privilege violation by selecting system:authenticated as the binding subject. The ClusterRole was intended for the Tekton scheduler service account but the binding broadens the grant to all logged-in identities. The CWE-732 classification captures this incorrect permission assignment for critical scheduling and certificate resources.
Attack Vector
An authenticated attacker with any valid credential issues standard kubectl or oc API calls against Kueue and cert-manager objects. The attacker can delete Workload objects belonging to other tenants, modify WorkloadPriorityClass definitions to starve or accelerate jobs, or mutate Certificate resources so cert-manager rewrites the TLS Secret backing the default ingress controller. Overwriting the ingress certificate produces a denial of service and enables traffic interception scenarios.
No verified exploitation code is published. See the Red Hat CVE-2026-10840 advisory and Red Hat Bug Report #2484720 for additional technical detail.
Detection Methods for CVE-2026-10840
Indicators of Compromise
- Unexpected delete or update audit events against kueue.x-k8s.io resources from non-administrative service accounts or user identities.
- Modifications to cert-manager.io/v1Certificate or Issuer objects originating from users outside the platform team.
- Unscheduled rotations or content changes on the router-certs-default Secret in the openshift-ingress namespace.
- Newly created WorkloadPriorityClass objects with abnormally high priority values.
Detection Strategies
- Review the ClusterRoleBinding/tekton-scheduler-rolebinding subject list for the presence of system:authenticated or system:authenticated:oauth.
- Enable Kubernetes API audit logging at RequestResponse level for the kueue.x-k8s.io and cert-manager.io API groups.
- Correlate authenticated user identities with write operations against Workload and Certificate objects across namespaces.
Monitoring Recommendations
- Alert on any non-system identity performing write verbs against Kueue or cert-manager CRDs.
- Monitor the integrity of the default ingress TLS Secret using checksum comparison or admission webhook validation.
- Track ClusterRoleBinding changes that include broad groups such as system:authenticated.
How to Mitigate CVE-2026-10840
Immediate Actions Required
- Inspect the tekton-scheduler-rolebinding ClusterRoleBinding and remove the system:authenticated subject if present.
- Restrict the binding to the dedicated Tekton scheduler ServiceAccount only.
- Audit recent activity against Kueue Workload objects and cert-manager Certificate resources for tampering.
- Apply Red Hat patches for the OpenShift Pipelines operator once available.
Patch Information
Refer to the Red Hat CVE-2026-10840 advisory for the current list of fixed operator versions and errata identifiers. Track the corresponding Red Hat Bug Report #2484720 for vendor remediation status.
Workarounds
- Patch the ClusterRoleBinding subjects with oc patch clusterrolebinding tekton-scheduler-rolebinding to scope access to a single ServiceAccount.
- Remove unused Kueue or cert-manager CRDs from clusters that do not require them.
- Deploy a validating admission policy that denies writes to Kueue and cert-manager resources from identities outside an allowlist.
# Configuration example: scope the binding to a single ServiceAccount
oc patch clusterrolebinding tekton-scheduler-rolebinding --type=json -p='[
{"op": "replace", "path": "/subjects", "value": [
{
"kind": "ServiceAccount",
"name": "tekton-scheduler",
"namespace": "openshift-pipelines"
}
]}
]'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
