CVE-2026-10843: OpenShift Privilege Escalation Vulnerability

CVE-2026-10843 Overview

CVE-2026-10843 is a privilege flaw in the OpenShift Cloud Credential Operator (CCO) Mint-mode IAM policies for Amazon Web Services (AWS). The operator provisions AWS Identity and Access Management (IAM) credentials with account-wide scope for destructive actions rather than scoping permissions to cluster-owned resources. An attacker who compromises these over-privileged credentials can affect AWS resources outside the OpenShift cluster boundary. The weakness maps to [CWE-250]: Execution with Unnecessary Privileges. Red Hat tracks the issue under Red Hat Bug Report #2484738.

Critical Impact

Compromise of CCO Mint-mode credentials enables cross-scope destructive actions against AWS resources beyond the OpenShift cluster, including resources owned by other workloads in the same AWS account.

Affected Products

• Red Hat OpenShift Container Platform (Cloud Credential Operator in Mint mode)
• OpenShift clusters deployed on AWS using Mint-mode credential provisioning
• AWS accounts hosting OpenShift clusters with CCO-managed IAM policies

Discovery Timeline

• 2026-06-04 - CVE-2026-10843 published to the National Vulnerability Database (NVD)
• 2026-06-04 - Last updated in NVD database

Technical Details for CVE-2026-10843

Vulnerability Analysis

The Cloud Credential Operator manages IAM credentials for OpenShift components running on AWS. In Mint mode, the CCO creates IAM users and policies on demand for cluster operators such as the machine API, ingress controller, and storage drivers. The flaw stems from IAM policy statements that grant destructive actions across the entire AWS account instead of restricting them to cluster-owned Amazon Resource Names (ARNs).

An attacker who obtains one of these credentials, through container escape, leaked secrets, or supply chain compromise, can invoke destructive AWS API calls against resources outside the cluster. Examples include terminating Amazon Elastic Compute Cloud (EC2) instances, deleting Amazon Elastic Block Store (EBS) volumes, or removing load balancers belonging to unrelated workloads sharing the AWS account.

Root Cause

The root cause is overly broad IAM policy Resource declarations. Destructive actions such as ec2:TerminateInstances, ec2:DeleteVolume, and elasticloadbalancing:DeleteLoadBalancer are bound to Resource: "*" rather than ARNs filtered by cluster-specific tags or naming prefixes. This violates least-privilege and concentrates blast radius at the AWS account level.

Attack Vector

Exploitation requires that an attacker first obtains valid CCO-minted AWS credentials. The CVSS vector indicates network reachability with high privileges already held. Once credentials are in hand, the attacker authenticates to the AWS API and issues destructive calls against arbitrary resources in the account. No additional vulnerability chain is required because the IAM policy itself authorizes the activity.

No verified proof-of-concept code is published. The vulnerability is configuration-driven rather than memory-based, so exploitation occurs through standard AWS SDK or CLI calls against the AWS control plane. Refer to the Red Hat CVE-2026-10843 Advisory for vendor analysis.

Detection Methods for CVE-2026-10843

Indicators of Compromise

• AWS CloudTrail events showing destructive API calls (TerminateInstances, DeleteVolume, DeleteLoadBalancer) invoked by CCO-minted IAM users against resources lacking cluster ownership tags.
• IAM policy documents attached to CCO-created users containing Resource: "*" for destructive actions.
• Unexpected AWS API calls originating from outside known OpenShift node IP ranges using CCO-minted access keys.

Detection Strategies

• Audit attached IAM policies for users and roles created by the Cloud Credential Operator, flagging any destructive action paired with a wildcard resource.
• Correlate CloudTrail userIdentity.userName fields against the CCO naming convention and validate target ARNs against the cluster infrastructure ID tag.
• Enable AWS Config rules to detect IAM policies that grant ec2:Terminate*, ec2:Delete*, or equivalent actions without resource scoping.

Monitoring Recommendations

• Stream AWS CloudTrail and AWS Config findings into a centralized analytics platform for continuous policy drift detection.
• Alert on any successful destructive API call where the targeted resource lacks the expected kubernetes.io/cluster/<infra-id> tag.
• Track creation and rotation of CCO-managed IAM users and review attached policies during each rotation cycle.

How to Mitigate CVE-2026-10843

Immediate Actions Required

• Inventory all OpenShift clusters running CCO in Mint mode on AWS and identify the IAM users and policies created by the operator.
• Rotate AWS credentials issued by the Cloud Credential Operator and revoke any keys suspected of exposure.
• Apply the Red Hat security update referenced in the Red Hat CVE-2026-10843 Advisory when available.

Patch Information

Red Hat tracks remediation through Red Hat Bug Report #2484738. Consult the advisory for fixed component versions and updated policy templates that scope destructive AWS actions to cluster-owned resources.

Workarounds

• Migrate from Mint mode to Manual mode or Short-Term Credentials with AWS Security Token Service (STS), where administrators define narrowly scoped IAM roles per component.
• Manually edit CCO-generated IAM policies to restrict destructive actions to ARNs filtered by the cluster infrastructure ID or required AWS condition keys such as aws:ResourceTag/kubernetes.io/cluster/<infra-id>.
• Enforce Service Control Policies (SCPs) at the AWS Organizations level that block destructive actions on resources lacking the expected cluster ownership tag.

# Example IAM policy condition restricting destructive actions to cluster-owned resources
# Apply via the AWS CLI after reviewing the Red Hat advisory
aws iam put-user-policy \
  --user-name <cco-minted-user> \
  --policy-name scoped-destructive-actions \
  --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "ec2:TerminateInstances",
          "ec2:DeleteVolume"
        ],
        "Resource": "*",
        "Condition": {
          "StringEquals": {
            "aws:ResourceTag/kubernetes.io/cluster/<infra-id>": "owned"
          }
        }
      }
    ]
  }'