CVE-2026-21721

high

Red Hat

CVSS v3 Base Score

8.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Published: January 27, 2026

Last Modified: January 27, 2026

Vendor: Red Hat

Description

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.

CWE

CWE-639

Affected Products

Multicluster Global HubRed Hat Advanced Cluster Management for Kubernetes 2Red Hat Ceph Storage 5Red Hat Ceph Storage 6Red Hat Ceph Storage 8Red Hat Enterprise Linux 8Red Hat Enterprise Linux 10Red Hat Enterprise Linux 10.0 Extended Update SupportRed Hat Enterprise Linux 9Red Hat Enterprise Linux 9.6 Extended Update Support

Fix Status

✅ Fix Available

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 grafana.com

CVE-2026-21721

Vulnerability Report

Description

CWE

Affected Products

Fix Status

References