{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-10101","assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","state":"PUBLISHED","assignerShortName":"redhat","dateReserved":"2026-05-29T15:07:59.753Z","datePublished":"2026-05-29T15:23:00.527Z","dateUpdated":"2026-05-29T15:23:00.527Z"},"containers":{"cna":{"title":"Assisted-service: assisted-service: infraenv status leaks referenced pull-secret contents to namespace view users","metrics":[{"other":{"content":{"value":"Moderate","namespace":"https://access.redhat.com/security/updates/classification/"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.3,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N","version":"3.1"},"format":"CVSS"}],"descriptions":[{"lang":"en","value":"ACM/MCE assisted-service writes raw referenced pull-secret contents into `InfraEnv.status.conditions[].message` when pull-secret validation fails. A namespace principal with the stock `view` ClusterRole cannot directly read Secrets, but can read `InfraEnv` objects and recover the referenced Secret's `.dockerconfigjson` data from status.\n\nThis bypasses the Kubernetes/OpenShift RBAC separation between read-only namespace viewers and Secret readers. In the reproduced proof, the same ServiceAccount was denied `get` and `list` on Secrets, but recovered synthetic pull-secret `username`, `password`, `email`, and base64 `auth` fields through `InfraEnv.status`."}],"affected":[{"vendor":"Red Hat","product":"Multicluster Engine for Kubernetes","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"multicluster-engine/assisted-service-9-rhel9","defaultStatus":"unknown","cpes":["cpe:/a:redhat:multicluster_engine"]}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-10101","tags":["vdb-entry","x_refsource_REDHAT"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2483298","name":"RHBZ#2483298","tags":["issue-tracking","x_refsource_REDHAT"]}],"datePublic":"2026-05-29T12:00:00.000Z","problemTypes":[{"descriptions":[{"cweId":"CWE-201","description":"Insertion of Sensitive Information Into Sent Data","lang":"en","type":"CWE"}]}],"x_redhatCweChain":"CWE-201: Insertion of Sensitive Information Into Sent Data","timeline":[{"lang":"en","time":"2026-05-06T00:00:00.000Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-29T12:00:00.000Z","value":"Made public."}],"providerMetadata":{"orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat","dateUpdated":"2026-05-29T15:23:00.527Z"},"x_generator":{"engine":"cvelib 1.8.0"}}}}