{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4740", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-03-24T03:19:46.998Z", "datePublished": "2026-04-07T14:30:36.396Z", "dateUpdated": "2026-04-09T14:40:43.580Z"}, "containers": {"cna": {"title": "Rhacm: open cluster management (ocm): cross-cluster privilege escalation via improper kubernetes client certificate renewal validation", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Open Cluster Management (OCM), the technology underlying Red Hat Advanced Cluster Management (ACM). Improper validation of Kubernetes client certificate renewal allows a managed cluster administrator to forge a client certificate that can be approved by the OCM controller. This enables cross-cluster privilege escalation and may allow an attacker to gain control over other managed clusters, including the hub cluster."}], "affected": [{"vendor": "Red Hat", "product": "Multicluster Engine for Kubernetes", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "multicluster-engine/registration-operator-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:multicluster_engine"]}, {"vendor": "Red Hat", "product": "Multicluster Engine for Kubernetes", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "multicluster-engine/registration-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:multicluster_engine"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-4740", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://blog.arfevrier.fr/open-cluster-management-cross-cluster-escape/"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450590", "name": "RHBZ#2450590", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-04-07T14:00:35.240Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "Improper Certificate Validation", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-295: Improper Certificate Validation", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "timeline": [{"lang": "en", "time": "2026-03-24T03:18:24.150Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-07T14:00:35.240Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Arnaud FEVRIER (Orange) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-07T14:30:36.396Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:40:37.454585Z", "id": "CVE-2026-4740", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:40:43.580Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4740", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-09T14:40:37.454585Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:40:40.356Z"}}], "cna": {"title": "Rhacm: open cluster management (ocm): cross-cluster privilege escalation via improper kubernetes client certificate renewal validation", "credits": [{"lang": "en", "value": "Red Hat would like to thank Arnaud FEVRIER (Orange) for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:multicluster_engine"], "vendor": "Red Hat", "product": "Multicluster Engine for Kubernetes", "packageName": "multicluster-engine/registration-operator-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:multicluster_engine"], "vendor": "Red Hat", "product": "Multicluster Engine for Kubernetes", "packageName": "multicluster-engine/registration-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2026-03-24T03:18:24.150Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-07T14:00:35.240Z", "value": "Made public."}], "datePublic": "2026-04-07T14:00:35.240Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-4740", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://blog.arfevrier.fr/open-cluster-management-cross-cluster-escape/"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450590", "name": "RHBZ#2450590", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in Open Cluster Management (OCM), the technology underlying Red Hat Advanced Cluster Management (ACM). Improper validation of Kubernetes client certificate renewal allows a managed cluster administrator to forge a client certificate that can be approved by the OCM controller. This enables cross-cluster privilege escalation and may allow an attacker to gain control over other managed clusters, including the hub cluster."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-07T14:30:36.396Z"}, "x_redhatCweChain": "CWE-295: Improper Certificate Validation"}}, "cveMetadata": {"cveId": "CVE-2026-4740", "state": "PUBLISHED", "dateUpdated": "2026-04-09T14:40:43.580Z", "dateReserved": "2026-03-24T03:19:46.998Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-04-07T14:30:36.396Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:advanced_cluster_management_for_kubernetes:-:*:*:*:*:*:*:*", "matchCriteriaId": "7301AD20-0188-463F-9386-9D878AD3A542", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Open Cluster Management (OCM), the technology underlying Red Hat Advanced Cluster Management (ACM). Improper validation of Kubernetes client certificate renewal allows a managed cluster administrator to forge a client certificate that can be approved by the OCM controller. This enables cross-cluster privilege escalation and may allow an attacker to gain control over other managed clusters, including the hub cluster."}], "id": "CVE-2026-4740", "lastModified": "2026-04-28T20:39:15.040", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 6.0, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2026-04-07T15:17:46.797", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2026-4740"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.arfevrier.fr/open-cluster-management-cross-cluster-escape/"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450590"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Arnaud FEVRIER (Orange) for reporting this issue.", "bugzilla": {"description": "rhacm: Open Cluster Management (OCM): Cross-cluster privilege escalation via improper Kubernetes client certificate renewal validation", "id": "2450590", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450590"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-295", "details": ["A flaw was found in Open Cluster Management (OCM), the technology underlying Red Hat Advanced Cluster Management (ACM). Improper validation of Kubernetes client certificate renewal allows a managed cluster administrator to forge a client certificate that can be approved by the OCM controller. This enables cross-cluster privilege escalation and may allow an attacker to gain control over other managed clusters, including the hub cluster."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-4740", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/registration-operator-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/registration-rhel9", "product_name": "Multicluster Engine for Kubernetes"}], "public_date": "2026-04-07T14:00:35Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4740\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4740\nhttps://blog.arfevrier.fr/open-cluster-management-cross-cluster-escape/"], "statement": "Improper validation of Kubernetes client certificate renewal in Open Cluster Management (OCM), the technology underlying Red Hat Advanced Cluster Management (ACM), allows a managed cluster administrator to forge a client certificate. This could lead to cross-cluster privilege escalation, potentially enabling an attacker to gain control over other managed clusters, including the hub cluster.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Multicluster Engine for Kubernetes", "source": "cna", "vendor": "Red Hat"}, "product": "multicluster_engine", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-07T20:05:40.065268+00:00", "value": {"mitigation_remediation": ["Upgrade Red Hat Multicluster Engine for Kubernetes to the latest version that contains the OCM certificate renewal validation fix.", "If an update is not immediately available, restrict administrative access on managed clusters and isolate them from the hub cluster until the vendor releases a patch.", "Verify that Kubernetes client certificate renewal is properly validated on the hub and all managed clusters.", "Monitor certificate generation and renewal logs for anomalous or duplicate certificate requests that could indicate an attempt to forge credentials."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011cluster privilege escalation"}, "threat_synthesis": {"affected_systems": "Red Hat Multicluster Engine for Kubernetes is the affected product. No specific affected version information was supplied, so any installation of this product should be evaluated to determine if it is running an unpatched version of OCM.", "description_and_impact": "Improper validation of Kubernetes client certificate renewal in Open Cluster Management (OCM) allows a managed\u2011cluster administrator to forge a client certificate that the OCM controller will approve. The forged certificate can be used to impersonate higher\u2011privilege identities across clusters, enabling the attacker to gain control over the hub cluster and any other managed clusters in the environment. The vulnerability leads to a full compromise of confidentiality, integrity, and availability for all clusters connected through OCM.", "risk_and_exploitability": "The CVSS score of 8.2 indicates high severity. The EPSS score is not available, but the lack of a KEV listing suggests it is not a widely discovered exploit yet. The most likely attack vector is an internal one; an attacker who has administrative privileges on a managed cluster can forge a certificate and submit it for renewal. If the OCM controller accepts the forged certificate, the attacker can then perform actions on the hub and other clusters with elevated privileges. The exploit does not require external network access beyond the normal OCM traffic. Given the severity and potential impact, the risk is considered high."}}}}, "created": "2026-04-08T19:37:27.849225+00:00", "updated": "2026-04-08T19:48:47.142783+00:00", "vendors": ["redhat", "redhat$PRODUCT$multicluster_engine"]}