CVE-2026-10101
mediumCVSS v3 Base Score
6.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
EPSS Score
0.0%
Exploitation probability in 30 days
Top 91% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Confidentiality
High
Integrity
Low
Availability
None
Vulnerability Report
Generated by CyberWatcher
Description
ACM/MCE assisted-service writes raw referenced pull-secret contents into `InfraEnv.status.conditions[].message` when pull-secret validation fails. A namespace principal with the stock `view` ClusterRole cannot directly read Secrets, but can read `InfraEnv` objects and recover the referenced Secret's `.dockerconfigjson` data from status.
This bypasses the Kubernetes/OpenShift RBAC separation between read-only namespace viewers and Secret readers. In the reproduced proof, the same ServiceAccount was denied `get` and `list` on Secrets, but recovered synthetic pull-secret `username`, `password`, `email`, and base64 `auth` fields through `InfraEnv.status`.
CWE
CWE-201Affected Products
Multicluster Engine for Kubernetes