Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-2651

Summary
Assigner-@huntr_ai
Assigner Org ID-c09c270a-b464-47c1-9133-acb35b22c19a
Published At-25 May, 2026 | 06:00
Updated At-29 Jun, 2026 | 12:34
Rejected At-
Credits

Missing Authorization Validation in mlflow/mlflow

A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. The authorization logic does not enforce resource-level permission checks for `/mlflow-artifacts/mpu/*` endpoints, enabling attackers to overwrite artifacts belonging to other users. This can lead to unauthorized cross-user writes, model supply chain poisoning, and arbitrary code execution when compromised models are loaded. The issue is resolved in version 3.10.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:@huntr_ai
Assigner Org ID:c09c270a-b464-47c1-9133-acb35b22c19a
Published At:25 May, 2026 | 06:00
Updated At:29 Jun, 2026 | 12:34
Rejected At:
â–¼CVE Numbering Authority (CNA)
Missing Authorization Validation in mlflow/mlflow

A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. The authorization logic does not enforce resource-level permission checks for `/mlflow-artifacts/mpu/*` endpoints, enabling attackers to overwrite artifacts belonging to other users. This can lead to unauthorized cross-user writes, model supply chain poisoning, and arbitrary code execution when compromised models are loaded. The issue is resolved in version 3.10.0.

Affected Products
Vendor
mlflow
Product
mlflow/mlflow
Versions
Affected
  • From unspecified before 3.10.0 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.09.0CRITICAL
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Version: 3.0
Base score: 9.0
Base severity: CRITICAL
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://huntr.com/bounties/65beb119-d3e0-4e03-af2f-fa98f78f83dc
N/A
https://github.com/mlflow/mlflow/commit/d7290811d8f3c95366d80109424edc1fb1ad966f
N/A
Hyperlink: https://huntr.com/bounties/65beb119-d3e0-4e03-af2f-fa98f78f83dc
Resource: N/A
Hyperlink: https://github.com/mlflow/mlflow/commit/d7290811d8f3c95366d80109424edc1fb1ad966f
Resource: N/A
â–¼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://huntr.com/bounties/65beb119-d3e0-4e03-af2f-fa98f78f83dc
exploit
Hyperlink: https://huntr.com/bounties/65beb119-d3e0-4e03-af2f-fa98f78f83dc
Resource:
exploit
2. github.com/mlflow/mlflow: MLflow: Arbitrary code execution via unauthorized multipart upload access

A flaw was found in MLflow when the `--serve-artifacts` mode is enabled. A remote attacker can exploit this vulnerability due to insufficient resource-level permission checks for multipart upload (MPU) endpoints. This allows the attacker to overwrite artifacts belonging to other users, which can lead to model supply chain poisoning and potentially arbitrary code execution when compromised models are loaded.

Affected Products
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat OpenShift AI (RHOAI)
CPEs
  • cpe:/a:redhat:openshift_ai
Default Status
unaffected
Problem Types
TypeCWE IDDescription
CWECWE-1220Insufficient Granularity of Access Control
Type: CWE
CWE ID: CWE-1220
Description: Insufficient Granularity of Access Control
Metrics
VersionBase scoreBase severityVector
3.19.0CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 9.0
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Metrics Other Info
Red Hat severity rating
value:
Critical
namespace:
https://access.redhat.com/security/updates/classification/
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Reported to Red Hat.2026-05-25 07:00:55
Made public.2026-05-25 06:00:34
Event: Reported to Red Hat.
Date: 2026-05-25 07:00:55
Event: Made public.
Date: 2026-05-25 06:00:34
Replaced By

Rejected Reason

References
HyperlinkResource
https://access.redhat.com/security/cve/CVE-2026-2651
vdb-entry
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2481117
issue-tracking
x_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2651.json
x_sadp-csaf-vex
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-2651
Resource:
vdb-entry
x_refsource_REDHAT
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2481117
Resource:
issue-tracking
x_refsource_REDHAT
Hyperlink: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2651.json
Resource:
x_sadp-csaf-vex
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@huntr.dev
Published At:25 May, 2026 | 07:16
Updated At:27 Jun, 2026 | 05:16

A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. The authorization logic does not enforce resource-level permission checks for `/mlflow-artifacts/mpu/*` endpoints, enabling attackers to overwrite artifacts belonging to other users. This can lead to unauthorized cross-user writes, model supply chain poisoning, and arbitrary code execution when compromised models are loaded. The issue is resolved in version 3.10.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.0CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Secondary3.09.0CRITICAL
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
N/A
Type: Secondary
Version: 3.1
Base score: 9.0
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Type: Secondary
Version: 3.0
Base score: 9.0
Base severity: CRITICAL
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

lfprojects
lfprojects
>>mlflow>>Versions up to 3.10.1(inclusive)
cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-862Primarysecurity@huntr.dev
CWE-1220Secondary0b0ca135-0b70-47e7-9f44-1890c2a1c46c
CWE ID: CWE-862
Type: Primary
Source: security@huntr.dev
CWE ID: CWE-1220
Type: Secondary
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/mlflow/mlflow/commit/d7290811d8f3c95366d80109424edc1fb1ad966fsecurity@huntr.dev
Patch
https://huntr.com/bounties/65beb119-d3e0-4e03-af2f-fa98f78f83dcsecurity@huntr.dev
Exploit
Third Party Advisory
https://access.redhat.com/security/cve/CVE-2026-26510b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://bugzilla.redhat.com/show_bug.cgi?id=24811170b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://huntr.com/bounties/65beb119-d3e0-4e03-af2f-fa98f78f83dc134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Third Party Advisory
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2651.json0b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
Hyperlink: https://github.com/mlflow/mlflow/commit/d7290811d8f3c95366d80109424edc1fb1ad966f
Source: security@huntr.dev
Resource:
Patch
Hyperlink: https://huntr.com/bounties/65beb119-d3e0-4e03-af2f-fa98f78f83dc
Source: security@huntr.dev
Resource:
Exploit
Third Party Advisory
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-2651
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2481117
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://huntr.com/bounties/65beb119-d3e0-4e03-af2f-fa98f78f83dc
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
Exploit
Third Party Advisory
Hyperlink: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2651.json
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

45Records found

CVE-2025-15379
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9||CRITICAL
EPSS-1.99% / 78.27%
||
7 Day CHG-0.36%
Published-30 Mar, 2026 | 07:16
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection in mlflow/mlflow

A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.

Action-Not Available
Vendor-lfprojectsmlflowRed Hat, Inc.
Product-mlflowmlflow/mlflowRed Hat OpenShift AI (RHOAI)
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-12548
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-9||CRITICAL
EPSS-1.16% / 63.41%
||
7 Day CHG~0.00%
Published-13 Jan, 2026 | 15:35
Updated-21 Jan, 2026 | 22:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Github.com/che-incubator/che-code: eclipse che — unauthenticated rce and secret exfiltration via tcp/3333

A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat OpenShift Dev Spaces (RHOSDS) 3.23Red Hat OpenShift Dev Spaces (RHOSDS) 3.22Red Hat OpenShift Dev Spaces (RHOSDS) 3.24
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-44727
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-0.23% / 13.32%
||
7 Day CHG-0.01%
Published-22 Jun, 2026 | 19:56
Updated-30 Jun, 2026 | 12:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing `sandbox` CSP

Jupyter Server is the backend for Jupyter web applications. Prior to 2.20, the nbconvert HTTP handlers in jupyter_server render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their Content-Security-Policy. Combined with nbconvert.HTMLExporter's default non-sanitizing behavior, a notebook carrying an HTML payload in a display_data output triggers stored XSS with cookie access, full /api/* authority, and kernel RCE. This vulnerability is fixed in 2.20.

Action-Not Available
Vendor-jupyterjupyter-serverRed Hat, Inc.
Product-jupyter_serverjupyter_serverMigration Toolkit for Applications 8Red Hat OpenShift AI (RHOAI)
CWE ID-CWE-1021
Improper Restriction of Rendered UI Layers or Frames
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-34078
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-1.68% / 74.12%
||
7 Day CHG+0.04%
Published-07 Apr, 2026 | 21:27
Updated-30 Jun, 2026 | 12:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Flatpak has a complete sandbox escape leading to host file access and code execution in the host context

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.

Action-Not Available
Vendor-flatpakflatpakRed Hat, Inc.
Product-flatpakflatpakRed Hat Enterprise Linux CRB (v. 8)Red Hat Enterprise Linux AppStream EUS (v. 10.0)Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)Red Hat Enterprise Linux AppStream EUS (v.9.6)Red Hat Enterprise Linux AppStream AUS (v.8.6)Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)Red Hat Enterprise Linux 7Red Hat Enterprise Linux AppStream E4S (v.9.4)Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)Red Hat Enterprise Linux AppStream TUS (v.8.8)Red Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux AppStream (v. 8)Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)Red Hat Enterprise Linux AppStream (v. 10)Red Hat Enterprise Linux AppStream E4S (v.9.2)Red Hat Enterprise Linux AppStream E4S (v.8.8)Red Hat CodeReady Linux Builder EUS (v.9.6)Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)Red Hat Enterprise Linux AppStream AUS (v.8.4)
CWE ID-CWE-59
Improper Link Resolution Before File Access ('Link Following')
CWE ID-CWE-61
UNIX Symbolic Link (Symlink) Following
CVE-2026-27140
Matching Score-8
Assigner-Go Project
ShareView Details
Matching Score-8
Assigner-Go Project
CVSS Score-8.8||HIGH
EPSS-0.66% / 47.01%
||
7 Day CHG+0.13%
Published-08 Apr, 2026 | 01:06
Updated-30 Jun, 2026 | 03:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Code execution vulnerability in SWIG code generation in cmd/go

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

Action-Not Available
Vendor-Go toolchainGoRed Hat, Inc.
Product-gocmd/goRed Hat Enterprise Linux AppStream EUS (v. 10.0)Red Hat OpenShift Container Platform 4.18Red Hat Enterprise Linux AppStream EUS (v.9.6)Red Hat Enterprise Linux AppStream AUS (v.8.6)Red Hat Enterprise Linux AppStream E4S (v.8.6)Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)Red Hat Hardened ImagesRed Hat Enterprise Linux AppStream TUS (v.8.8)Red Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux AppStream (v. 8)Red Hat Enterprise Linux AppStream (v. 10)Red Hat Enterprise Linux AppStream E4S (v.9.2)Red Hat OpenShift Container Platform 4Red Hat OpenShift Virtualization 4Red Hat Enterprise Linux AppStream TUS (v.8.6)Red Hat Enterprise Linux AppStream E4S (v.8.8)Red Hat Enterprise Linux AppStream EUS (v.9.4)Red Hat Enterprise Linux 8Red Hat Enterprise Linux AppStream AUS (v.8.4)Red Hat Enterprise Linux AppStream E4S (v.9.0)OpenShift Service Mesh 2OpenShift Service Mesh 3Red Hat OpenShift Container Platform 4.19
CWE ID-CWE-641
Improper Restriction of Names for Files and Other Resources
CWE ID-CWE-863
Incorrect Authorization
CVE-2017-2589
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-8.7||HIGH
EPSS-0.93% / 56.11%
||
7 Day CHG~0.00%
Published-26 Jul, 2018 | 15:00
Updated-05 Aug, 2024 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was discovered that the hawtio servlet 1.4 uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies.

Action-Not Available
Vendor-hawtRed Hat, Inc.
Product-jboss_fusehawtiohawtio
CWE ID-CWE-285
Improper Authorization
CVE-2023-6940
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9||CRITICAL
EPSS-1.22% / 64.99%
||
7 Day CHG~0.00%
Published-19 Dec, 2023 | 01:41
Updated-07 May, 2025 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection

with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.

Action-Not Available
Vendor-lfprojectsmlflow
Product-mlflowmlflow/mlflow
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2019-3873
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-6.4||MEDIUM
EPSS-0.93% / 56.14%
||
7 Day CHG~0.00%
Published-12 Jun, 2019 | 13:43
Updated-04 Aug, 2024 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks.

Action-Not Available
Vendor-Red Hat, Inc.
Product-jboss_enterprise_application_platformsingle_sign-onenterprise_linuxpicketlink
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-9088
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-2.7||LOW
EPSS-0.35% / 26.77%
||
7 Day CHG~0.00%
Published-05 Jun, 2026 | 07:52
Updated-26 Jun, 2026 | 08:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak: keycloak: information disclosure due to user profile permission bypass

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat build of Keycloak 26.4Red Hat build of Keycloak 26.6.3Red Hat build of Keycloak 26.6Red Hat build of Keycloak 26.4.13
CWE ID-CWE-1220
Insufficient Granularity of Access Control
CVE-2026-6388
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.36% / 27.67%
||
7 Day CHG+0.04%
Published-15 Apr, 2026 | 21:34
Updated-30 Jun, 2026 | 12:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Argocd-image-updater: argocd image updater: cross-namespace privilege escalation via insufficient namespace validation

A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates on applications managed by other tenants. This leads to cross-namespace privilege escalation, impacting application integrity through unauthorized application updates.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat OpenShift GitOpsRed Hat OpenShift GitOps
CWE ID-CWE-1220
Insufficient Granularity of Access Control
CVE-2025-13772
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-7.1||HIGH
EPSS-0.39% / 30.58%
||
7 Day CHG+0.11%
Published-09 Jan, 2026 | 10:04
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace identifiers in API requests.

Action-Not Available
Vendor-Red Hat, Inc.GitLab Inc.
Product-gitlabGitLabRed Hat OpenShift Container Platform 4OpenShift Pipelines
CWE ID-CWE-862
Missing Authorization
CVE-2023-6725
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.20% / 10.30%
||
7 Day CHG~0.00%
Published-15 Mar, 2024 | 12:38
Updated-25 Feb, 2026 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tripleo-ansible: bind keys are world readable

An access-control flaw was found in the OpenStack Designate component where private configuration information including access keys to BIND were improperly made world readable. A malicious attacker with access to any container could exploit this flaw to access sensitive information.

Action-Not Available
Vendor-Red Hat, Inc.
Product-openstack_platformRed Hat OpenStack Platform 17.1Red Hat OpenStack Platform 17.1 for RHEL 8Red Hat OpenStack Platform 18.0Red Hat OpenStack Platform 17.1 for RHEL 9Red Hat OpenStack Platform 16.1Red Hat OpenStack Platform 16.2
CWE ID-CWE-1220
Insufficient Granularity of Access Control
CVE-2023-6394
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.4||HIGH
EPSS-0.81% / 52.55%
||
7 Day CHG~0.00%
Published-09 Dec, 2023 | 01:26
Updated-24 Mar, 2026 | 12:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Quarkus: graphql operations over websockets bypass

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.

Action-Not Available
Vendor-quarkusRed Hat, Inc.
Product-build_of_quarkusquarkusRed Hat build of Quarkus 3.2.9.FinalRed Hat build of Quarkus 2.13.9.Final
CWE ID-CWE-862
Missing Authorization
CVE-2023-5056
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.27% / 19.10%
||
7 Day CHG~0.00%
Published-18 Dec, 2023 | 13:43
Updated-20 Nov, 2025 | 07:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Skupper-operator: privelege escalation via config map

A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of the user's purview.

Action-Not Available
Vendor-Red Hat, Inc.
Product-service_interconnectenterprise_linuxService Interconnect 1 for RHEL 9
CWE ID-CWE-862
Missing Authorization
CVE-2023-4456
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.7||MEDIUM
EPSS-0.49% / 38.34%
||
7 Day CHG~0.00%
Published-21 Aug, 2023 | 15:19
Updated-20 Nov, 2025 | 18:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Openshift-logging: lokistack authorisation is cached too broadly

A flaw was found in openshift-logging LokiStack. The key used for caching is just the token, which is too broad. This issue allows a user with a token valid for one action to execute other actions as long as the authorization allowing the original action is still cached.

Action-Not Available
Vendor-Red Hat, Inc.
Product-openshift_loggingRHOL-5.5-RHEL-8RHOL-5.6-RHEL-8RHOL-5.7-RHEL-8
CWE ID-CWE-1220
Insufficient Granularity of Access Control
CVE-2023-39418
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-3.1||LOW
EPSS-0.96% / 57.08%
||
7 Day CHG-0.01%
Published-11 Aug, 2023 | 12:19
Updated-21 Nov, 2025 | 07:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Postgresql: merge fails to enforce update or select row security policies

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.

Action-Not Available
Vendor-Red Hat, Inc.The PostgreSQL Global Development GroupDebian GNU/Linux
Product-debian_linuxpostgresqlenterprise_linuxRed Hat Enterprise Linux 8.8 Extended Update SupportRed Hat Enterprise Linux 9Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6Red Hat Software CollectionsRed Hat Enterprise Linux 9.2 Extended Update SupportRed Hat Enterprise Linux 8
CWE ID-CWE-1220
Insufficient Granularity of Access Control
CVE-2026-42297
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.5||HIGH
EPSS-0.52% / 40.05%
||
7 Day CHG+0.06%
Published-09 May, 2026 | 03:42
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Argo Workflows Is Missing Authorization in Sync ConfigMap Provider

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operations (create, read, update, delete). Any authenticated user — including those using fake Bearer tokens — can create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits. This issue has been patched in version 4.0.5.

Action-Not Available
Vendor-argoprojargoprojRed Hat, Inc.
Product-argo_workflowsargo-workflowsRed Hat OpenShift AI (RHOAI)
CWE ID-CWE-425
Direct Request ('Forced Browsing')
CWE ID-CWE-862
Missing Authorization
CVE-2026-41326
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-0.27% / 18.54%
||
7 Day CHG-0.02%
Published-24 Apr, 2026 | 18:46
Updated-30 Jun, 2026 | 12:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kata Containers: CopyFile Policy Subversion via Symlinks

Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. From v3.4.0 to v3.28.0, an oversight in the CopyFile policy (and perhaps the CopyFile handler) allows untrusted hosts to write to arbitrary locations inside the guest workload image. This can be used to overwrite binaries inside the guest and exfiltrate data from containers; even those running inside CVMs. This vulnerability is fixed in v3.29.0.

Action-Not Available
Vendor-katacontainerskata-containersRed Hat, Inc.
Product-confidential_containerskata_containerskata-containersConfidential Compute AttestationRed Hat OpenShift Container Platform 4Red Hat OpenShift Container Platform 4.19
CWE ID-CWE-1220
Insufficient Granularity of Access Control
CWE ID-CWE-61
UNIX Symbolic Link (Symlink) Following
CVE-2026-40976
Matching Score-6
Assigner-VMware by Broadcom
ShareView Details
Matching Score-6
Assigner-VMware by Broadcom
CVSS Score-9.1||CRITICAL
EPSS-0.49% / 38.50%
||
7 Day CHG+0.08%
Published-27 Apr, 2026 | 23:34
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.

Action-Not Available
Vendor-VMware (Broadcom Inc.)Red Hat, Inc.
Product-spring_bootSpring BootRed Hat build of OptaPlanner 8Red Hat build of Apache Camel - HawtIO 4Red Hat AMQ ClientsRed Hat AMQ Broker 7Red Hat Data Grid 8Red Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform 7Red Hat Enterprise Linux 9Red Hat OpenShift Dev SpacesRed Hat Process Automation 7Red Hat build of Apache Camel for Spring Boot 4Red Hat Enterprise Linux 8Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-305
Authentication Bypass by Primary Weakness
CWE ID-CWE-862
Missing Authorization
CVE-2026-40981
Matching Score-6
Assigner-VMware by Broadcom
ShareView Details
Matching Score-6
Assigner-VMware by Broadcom
CVSS Score-7.5||HIGH
EPSS-0.43% / 34.97%
||
7 Day CHG+0.05%
Published-07 May, 2026 | 03:55
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

Action-Not Available
Vendor-VMware (Broadcom Inc.)Red Hat, Inc.
Product-spring_cloud_configSpring Cloud ConfigRed Hat Enterprise Linux 8Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-1220
Insufficient Granularity of Access Control
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-39363
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-2.91% / 85.28%
||
7 Day CHG+0.62%
Published-07 Apr, 2026 | 19:10
Updated-30 Jun, 2026 | 12:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

Action-Not Available
Vendor-voidzerovitejsvitejsRed Hat, Inc.
Product-vitevite\+vite-plusviteRed Hat Ansible Automation Platform 2Red Hat Build of Podman DesktopRed Hat Ansible Automation Platform 2.6Red Hat Ansible Automation Platform 2.5 for RHEL 9Red Hat Build of Podman Desktop - Tech PreviewRed Hat OpenShift Container Platform 4Red Hat Advanced Cluster Security 4Red Hat Build of KeycloakRed Hat Ansible Automation Platform 2.6 for RHEL 10Red Hat Ansible Automation Platform 2.6 for RHEL 9Red Hat Ansible Automation Platform 2.5 for RHEL 8Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-1220
Insufficient Granularity of Access Control
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-37981
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.37% / 28.98%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 10:28
Updated-03 Jun, 2026 | 19:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak: org.keycloak.authorization: keycloak: information disclosure via broken access control in user lookup endpoint

A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure.

Action-Not Available
Vendor-Red Hat, Inc.
Product-build_of_keycloakRed Hat build of Keycloak 26.4.12Red Hat build of Keycloak 26.4
CWE ID-CWE-1220
Insufficient Granularity of Access Control
CVE-2024-9671
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.28% / 19.35%
||
7 Day CHG~0.00%
Published-09 Oct, 2024 | 14:32
Updated-20 Mar, 2026 | 10:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
System: pdf invoices of the developer users can be seen if the url is known

A vulnerability was found in 3Scale. There is no auth mechanism to see a PDF invoice of a Developer user if the URL is known. Anyone can see the invoice if the URL is known or guessed.

Action-Not Available
Vendor-Red Hat, Inc.
Product-3scale_api_management_platformRed Hat 3scale API Management Platform 2
CWE ID-CWE-862
Missing Authorization
CVE-2026-26103
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.1||HIGH
EPSS-0.07% / 0.11%
||
7 Day CHG~0.00%
Published-25 Feb, 2026 | 10:31
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Udisks: missing authorization check allows unprivileged users to restore luks headers via udisks d-bus api

A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite encryption metadata on block devices. This can permanently invalidate encryption keys and render encrypted volumes inaccessible. Successful exploitation results in a denial-of-service condition through irreversible data loss.

Action-Not Available
Vendor-Red Hat, Inc.freedesktop.org
Product-udisksenterprise_linuxRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 10.0 Extended Update SupportRed Hat Enterprise Linux 6Red Hat Enterprise Linux AppStream EUS (v. 10.0)Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)Red Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 8Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)Red Hat Enterprise Linux 6Red Hat Enterprise Linux AppStream (v. 10)
CWE ID-CWE-862
Missing Authorization
CVE-2026-26104
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.07% / 0.11%
||
7 Day CHG~0.00%
Published-25 Feb, 2026 | 10:51
Updated-25 Mar, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Udisks: missing authorization check allows unprivileged users to back up luks headers via udisks d-bus api

A flaw was found in the udisks storage management daemon that allows unprivileged users to back up LUKS encryption headers without authorization. The issue occurs because a privileged D-Bus method responsible for exporting encryption metadata does not perform a policy check. As a result, sensitive cryptographic metadata can be read and written to attacker-controlled locations. This weakens the confidentiality guarantees of encrypted storage volumes.

Action-Not Available
Vendor-freedesktop.orgRed Hat, Inc.
Product-enterprise_linuxudisksRed Hat Enterprise Linux 9Red Hat Enterprise Linux 10.0 Extended Update SupportRed Hat Enterprise Linux 8Red Hat Enterprise Linux 10Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6
CWE ID-CWE-862
Missing Authorization
CVE-2017-7530
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-8.8||HIGH
EPSS-1.70% / 74.44%
||
7 Day CHG~0.00%
Published-26 Jul, 2018 | 13:00
Updated-05 Aug, 2024 | 16:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs).

Action-Not Available
Vendor-Red Hat, Inc.
Product-cloudforms_management_enginecloudformscfme
CWE ID-CWE-862
Missing Authorization
CVE-2026-12515
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 9.64%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 15:34
Updated-26 Jun, 2026 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Katello: missing repository authorization in content_uploads exposes cross-product content existence

A flaw was found in Katello's of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the edit_products permission to query content information for repositories outside the products they were authorized to manage. An authenticated attacker could exploit this issue to determine whether specific content exists within repositories that should otherwise be inaccessible. This issue does not allow unauthorized modification, import, or publication of content.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Satellite 6Red Hat Hardened Images
CWE ID-CWE-862
Missing Authorization
CVE-2026-11807
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.37% / 28.98%
||
7 Day CHG+0.01%
Published-23 Jun, 2026 | 19:40
Updated-29 Jun, 2026 | 12:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Eda-server: websocket missing authorization allows credential theft via activation_id spoofing

A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Ansible Automation Platform 2.6Red Hat Ansible Automation Platform 2.5 for RHEL 9Red Hat Ansible Automation Platform 2.5Red Hat Ansible Automation Platform 2.6 for RHEL 9Red Hat Ansible Automation Platform 2.5 for RHEL 8Red Hat Ansible Automation Platform 2.6Red Hat Ansible Automation Platform 2.5 for RHEL 9Red Hat Ansible Automation Platform 2.5Red Hat Ansible Automation Platform 2.6 for RHEL 9Red Hat Ansible Automation Platform 2.5 for RHEL 8
CWE ID-CWE-862
Missing Authorization
CVE-2026-13484
Matching Score-6
Assigner-VulDB
ShareView Details
Matching Score-6
Assigner-VulDB
CVSS Score-2.3||LOW
EPSS-0.26% / 17.69%
||
7 Day CHG~0.00%
Published-28 Jun, 2026 | 08:30
Updated-01 Jul, 2026 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MLflow Experiment-scoped Label Schema CRUD API authorization

A vulnerability has been found in MLflow up to 4666cffc7912ea606d592fc38d6a75e2935f65e7. The impacted element is an unknown function of the component Experiment-scoped Label Schema CRUD API. Such manipulation leads to missing authorization. It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. A reply to the GitHub issue explains, that "[t]he labeling schema PR has not been merged yet. The auth handlers will be added before the release."

Action-Not Available
Vendor-lfprojectsn/a
Product-mlflowMLflow
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-10609
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.24% / 14.47%
||
7 Day CHG~0.00%
Published-23 Jun, 2026 | 13:26
Updated-23 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Openshift/cluster-logging-operator: cluster logging operator creates and forwards serviceaccount tokens without verifying clf creator authorization

A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials, allowing a delegated editor to exfiltrate SA tokens and escalate privileges.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Logging Subsystem for Red Hat OpenShift
CWE ID-CWE-862
Missing Authorization
CVE-2025-7493
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.52% / 40.51%
||
7 Day CHG~0.00%
Published-30 Sep, 2025 | 15:06
Updated-26 Feb, 2026 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Freeipa: idm: privilege escalation from host to domain admin in freeipa

A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE-2025-4404, where it fails to validate the uniqueness of the krbCanonicalName. While the previously released version added validations for the admin@REALM credential, FreeIPA still does not validate the root@REALM canonical name, which can also be used as the realm administrator's name. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Enterprise Linux 8.8 Update Services for SAP SolutionsRed Hat Enterprise Linux 9Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update SupportRed Hat Enterprise Linux 8Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-OnRed Hat Enterprise Linux 8.8 Telecommunications Update ServiceRed Hat Enterprise Linux 9.4 Extended Update SupportRed Hat Enterprise Linux 8.6 Advanced Mission Critical Update SupportRed Hat Enterprise Linux 8.6 Telecommunications Update ServiceRed Hat Enterprise Linux 10Red Hat Enterprise Linux 6Red Hat Enterprise Linux 9.2 Update Services for SAP SolutionsRed Hat Enterprise Linux 7 Extended Lifecycle SupportRed Hat Enterprise Linux 8.2 Advanced Update SupportRed Hat Enterprise Linux 8.6 Update Services for SAP SolutionsRed Hat Enterprise Linux 9.0 Update Services for SAP Solutions
CWE ID-CWE-1220
Insufficient Granularity of Access Control
CVE-2025-69196
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-7.4||HIGH
EPSS-0.36% / 27.81%
||
7 Day CHG+0.08%
Published-16 Mar, 2026 | 18:07
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FastMCP OAuth Proxy token reuse across MCP servers

FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for the base_url passed to the OAuthProxy during initialization. This issue has been patched 2.14.2.

Action-Not Available
Vendor-jlowinjlowinRed Hat, Inc.
Product-fastmcpfastmcpRed Hat Developer HubRed Hat OpenShift AI (RHOAI)Red Hat Satellite 6
CWE ID-CWE-1220
Insufficient Granularity of Access Control
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-54518
Matching Score-6
Assigner-Advanced Micro Devices Inc.
ShareView Details
Matching Score-6
Assigner-Advanced Micro Devices Inc.
CVSS Score-7.3||HIGH
EPSS-0.26% / 17.11%
||
7 Day CHG-0.03%
Published-15 May, 2026 | 03:06
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper isolation of shared resources within the CPU operation cache on Zen 2-based products could allow an attacker to corrupt instructions executed at a different privilege level, potentially resulting in privilege escalation.

Action-Not Available
Vendor-Advanced Micro Devices, Inc.Red Hat, Inc.
Product-AMD Ryzenâ„¢ 5000 Series Desktop Processors with Radeonâ„¢ GraphicsAMD Ryzenâ„¢ 7020 Series Processors with Radeonâ„¢ GraphicsAMD EPYCâ„¢ Embedded 7002 Series ProcessorsAMD Ryzenâ„¢ 3000 Series Desktop ProcessorsAMD Ryzenâ„¢ Embedded V2000 Series ProcessorsAMD Ryzenâ„¢ Threadripperâ„¢ PRO 3000 WX-Series ProcessorsAMD Ryzenâ„¢ 5000 Series Mobile Processors with Radeonâ„¢ GraphicsAMD Ryzenâ„¢ 7030 Series Mobile Processors with Radeonâ„¢ GraphicsAMD Ryzenâ„¢ 4000 Series Mobile Processors with Radeonâ„¢ GraphicsAMD Ryzen Embedded V2000A Series ProcessorsAMD Ryzenâ„¢ 4000 Series Desktop ProcessorsAMD EPYCâ„¢ 7002 Series ProcessorsRed Hat OpenShift Container Platform 4Red Hat Enterprise Linux 7Red Hat Enterprise Linux for NVIDIA 26Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-1189
Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
CWE ID-CWE-1220
Insufficient Granularity of Access Control
CVE-2026-23537
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.57% / 42.91%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 13:49
Updated-02 Jul, 2026 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Feast: unauthenticated arbitrary file write

A vulnerability has been identified in the Feast Feature Server’s `/save-document` endpoint that allows an unauthenticated remote attacker to write arbitrary JSON files to the server's filesystem. Although the system attempts to restrict file locations, these protections can be bypassed, enabling an attacker to overwrite vital application configurations or startup scripts. Because this flaw requires no credentials or special privileges, any attacker with network access to the server can potentially compromise the integrity of the system. This could lead to unauthorized system modifications, denial of service through disk exhaustion, or potential remote code execution.

Action-Not Available
Vendor-FeastRed Hat, Inc.
Product-Feast Feature ServerRed Hat OpenShift AI (RHOAI)Red Hat OpenShift AI (RHOAI)
CWE ID-CWE-862
Missing Authorization
CVE-2023-0923
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-8.8||HIGH
EPSS-0.94% / 56.51%
||
7 Day CHG~0.00%
Published-15 Sep, 2023 | 20:16
Updated-02 Aug, 2024 | 05:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Odh-notebook-controller-container: missing authorization allows for file contents disclosure

A flaw was found in the Kubernetes service for notebooks in RHODS, where it does not prevent pods from other namespaces and applications from making requests to the Jupyter API. This flaw can lead to file content exposure and other issues.

Action-Not Available
Vendor-Red Hat, Inc.
Product-enterprise_linuxopenshift_data_scienceRHODS-1.22-RHEL-8
CWE ID-CWE-862
Missing Authorization
CVE-2025-4404
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-9.1||CRITICAL
EPSS-1.83% / 76.21%
||
7 Day CHG~0.00%
Published-17 Jun, 2025 | 13:39
Updated-30 Jun, 2026 | 11:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Freeipa: idm: privilege escalation from host to domain admin in freeipa

A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Enterprise Linux 8.8 Telecommunications Update ServiceRed Hat Enterprise Linux 9.4 Extended Update SupportRed Hat Enterprise Linux 9.2 Update Services for SAP SolutionsRed Hat Enterprise Linux 9Red Hat Enterprise Linux 8.2 Advanced Update SupportRed Hat Enterprise Linux 10Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update SupportRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update SupportRed Hat Enterprise Linux 6Red Hat Enterprise Linux 9.0 Update Services for SAP SolutionsRed Hat Enterprise Linux 7 Extended Lifecycle SupportRed Hat Enterprise Linux 8.8 Update Services for SAP SolutionsRed Hat Enterprise Linux 8Red Hat Enterprise Linux 8.6 Telecommunications Update ServiceRed Hat Enterprise Linux 8.6 Update Services for SAP Solutions
CWE ID-CWE-1220
Insufficient Granularity of Access Control
CVE-2025-35998
Matching Score-6
Assigner-Intel Corporation
ShareView Details
Matching Score-6
Assigner-Intel Corporation
CVSS Score-7||HIGH
EPSS-0.15% / 4.62%
||
7 Day CHG+0.01%
Published-10 Feb, 2026 | 16:26
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing protection mechanism for alternate hardware interface in the Intel(R) Quick Assist Technology for some Intel(R) Platforms within Ring 0: Kernel may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-Intel(R) PlatformsRed Hat Enterprise Linux BaseOS EUS (v. 10.0)Red Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-1220
Insufficient Granularity of Access Control
CWE ID-CWE-1299
Missing Protection Mechanism for Alternate Hardware Interface
CVE-2023-0456
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.4||HIGH
EPSS-0.64% / 46.20%
||
7 Day CHG~0.00%
Published-27 Sep, 2023 | 13:39
Updated-24 Sep, 2024 | 14:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apicast proxies the api call with incorrect jwt token to the api backend without proper authorization check

A flaw was found in APICast, when 3Scale's OIDC module does not properly evaluate the response to a mismatched token from a separate realm. This could allow a separate realm to be accessible to an attacker, permitting access to unauthorized information.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-apicastRed Hat 3scale API Management Platform 2apicast
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-862
Missing Authorization
CVE-2020-1720
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-3.1||LOW
EPSS-1.18% / 63.98%
||
7 Day CHG-0.00%
Published-17 Mar, 2020 | 15:28
Updated-04 Aug, 2024 | 06:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17.

Action-Not Available
Vendor-The PostgreSQL Global Development GroupRed Hat, Inc.
Product-decision_managerpostgresqlsoftware_collectionsenterprise_linuxpostgresql
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-862
Missing Authorization
CVE-2020-10684
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.9||HIGH
EPSS-0.34% / 26.45%
||
7 Day CHG~0.00%
Published-24 Mar, 2020 | 00:00
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.

Action-Not Available
Vendor-Debian GNU/LinuxRed Hat, Inc.Fedora Project
Product-debian_linuxopenstackfedoraansibleansible_towerAnsible
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2020-10689
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.4||MEDIUM
EPSS-0.75% / 50.52%
||
7 Day CHG~0.00%
Published-03 Apr, 2020 | 14:29
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in the Eclipse Che up to version 7.8.x, where it did not properly restrict access to workspace pods. An authenticated user can exploit this flaw to bypass JWT proxy and gain access to the workspace pods of another user. Successful exploitation requires knowledge of the service name and namespace of the target pod.

Action-Not Available
Vendor-Eclipse Foundation AISBLRed Hat, Inc.
Product-cheEclipse Che
CWE ID-CWE-862
Missing Authorization
CVE-2024-43401
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.64% / 46.16%
||
7 Day CHG~0.00%
Published-19 Aug, 2024 | 16:24
Updated-21 Aug, 2024 | 14:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
In XWiki Platform, payloads stored in content is executed when a user with script/programming right edit them

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor. The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content. The payload is executed at edit time. This vulnerability has been patched in XWiki 15.10RC1.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platformxwiki-platform
CWE ID-CWE-269
Improper Privilege Management
CWE ID-CWE-862
Missing Authorization
CVE-2025-23025
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.40% / 31.56%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 17:42
Updated-13 May, 2025 | 13:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Privilege escalation (PR) through realtime WYSIWYG editing in XWiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. NOTE: The Realtime WYSIWYG Editor extension was **experimental**, and thus **not recommended**, in the versions affected by this vulnerability. It has become enabled by default, and thus recommended, starting with XWiki 16.9.0. A user with only **edit right** can join a realtime editing session where others, that where already there or that may join later, have **script** or **programming** access rights. This user can then insert **script rendering macros** that are executed for those users in the realtime session that have script or programming rights. The inserted scripts can be used to gain more access rights. This vulnerability has been patched in XWiki 15.10.2, 16.4.1 and 16.6.0-rc-1. Users are advised to upgrade. Users unable to upgrade may either disable the realtime WYSIWYG editing by disabling the ``xwiki-realtime`` CKEditor plugin from the WYSIWYG editor administration section or uninstall the Realtime WYSIWYG Editorextension (org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui).

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platform
CWE ID-CWE-862
Missing Authorization
CVE-2024-38002
Matching Score-4
Assigner-Liferay, Inc.
ShareView Details
Matching Score-4
Assigner-Liferay, Inc.
CVSS Score-9||CRITICAL
EPSS-0.59% / 44.08%
||
7 Day CHG~0.00%
Published-22 Oct, 2024 | 15:12
Updated-13 Oct, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalPortalDXPportaldxp
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-32973
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.34% / 25.72%
||
7 Day CHG+0.01%
Published-30 Apr, 2025 | 14:55
Updated-13 May, 2025 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, when a user with programming rights edits a document in XWiki that was last edited by a user without programming rights and contains an XWiki.ComponentClass, there is no warning that this will grant programming rights to this object. An attacker who created such a malicious object could use this to gain programming rights on the wiki. For this, the attacker needs to have edit rights on at least one page to place this object and then get an admin user to edit that document. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platform
CWE ID-CWE-862
Missing Authorization
Details not found