CVE 8.8 HIGH

Windows-machine-config-operator: windows-machine-config-operator: wicd csr extra-organization allows privilege escalation to system:masters_CVE-2026-54099

June 22, 2026 invoker category_cve
8.8 / 10
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. The WICD CSR auto-approver validates that a Certificate Signing Request contains the organization system:wicd-nodes but does not reject additional organization values such as system:masters. A compromised Windows worker node that holds WICD credentials can submit a CSR that is auto-approved and signed by the cluster, yielding a client certificate that grants cluster-administrator privileges and enabling full cluster takeover.

AI Analysis

Privilege escalation vulnerability in Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform via extra organization values in Certificate Signing Request

Basic Information

ID CVE-2026-54099
Source redhat
Published Jun 22, 2026 at 12:46

Affected Product

Vendor Red Hat
Product Red Hat OpenShift Container Platform 4

CWE Classification

CWE-269

AI Assessment

AI Score 8.8 / 10
AI Severity High
Vendor Red Hat
Product Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform
Version 4

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.