Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Red Hat Advanced Cluster Security for Kubernetes 4.11 by Red Hat

    CVE-2026-9165 (GCVE-0-2026-9165)

    Vulnerability from nvd – Published: 2026-07-06 08:46 – Updated: 2026-07-07 18:37
    VLAI
    Title
    Stackrox: stackrox: unbounded graphql query depth allows authenticated denial of service
    Summary
    A flaw was found in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central, resulting in a denial of service for the management plane.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2026:36207 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:36319 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2026-9165 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2480505 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat Advanced Cluster Security for Kubernetes 4.11 Unaffected: 1783352589 , < * (rpm)
        cpe:/a:redhat:advanced_cluster_security:4.11::el9
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security for Kubernetes 4.9 Unaffected: 1783357116 , < * (rpm)
        cpe:/a:redhat:advanced_cluster_security:4.9::el8
    Create a notification for this product.
    Date Public
    2026-07-06 08:38
    Credits
    This issue was discovered by Moritz Clasmeier (Red Hat).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9165",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-07T14:00:57.848857Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-07T14:01:10.575Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:advanced_cluster_security:4.11::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "advanced-cluster-security/rhacs-main-rhel9",
              "product": "Red Hat Advanced Cluster Security for Kubernetes 4.11",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1783352589",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:advanced_cluster_security:4.9::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "advanced-cluster-security/rhacs-main-rhel8",
              "product": "Red Hat Advanced Cluster Security for Kubernetes 4.9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1783357116",
                  "versionType": "rpm"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was discovered by Moritz Clasmeier (Red Hat)."
            }
          ],
          "datePublic": "2026-07-06T08:38:30.568Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central, resulting in a denial of service for the management plane."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T18:37:46.748Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:36207",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:36207"
            },
            {
              "name": "RHSA-2026:36319",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:36319"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-9165"
            },
            {
              "name": "RHBZ#2480505",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480505"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-21T00:00:00.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-07-06T08:38:30.568Z",
              "value": "Made public."
            }
          ],
          "title": "Stackrox: stackrox: unbounded graphql query depth allows authenticated denial of service",
          "workarounds": [
            {
              "lang": "en",
              "value": "There is no complete mitigation other than installing the update once\navailable."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-9165",
        "datePublished": "2026-07-06T08:46:22.139Z",
        "dateReserved": "2026-05-21T12:54:16.202Z",
        "dateUpdated": "2026-07-07T18:37:46.748Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9165 (GCVE-0-2026-9165)

    Vulnerability from cvelistv5 – Published: 2026-07-06 08:46 – Updated: 2026-07-07 18:37
    VLAI
    Title
    Stackrox: stackrox: unbounded graphql query depth allows authenticated denial of service
    Summary
    A flaw was found in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central, resulting in a denial of service for the management plane.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2026:36207 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:36319 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2026-9165 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2480505 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat Advanced Cluster Security for Kubernetes 4.11 Unaffected: 1783352589 , < * (rpm)
        cpe:/a:redhat:advanced_cluster_security:4.11::el9
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security for Kubernetes 4.9 Unaffected: 1783357116 , < * (rpm)
        cpe:/a:redhat:advanced_cluster_security:4.9::el8
    Create a notification for this product.
    Date Public
    2026-07-06 08:38
    Credits
    This issue was discovered by Moritz Clasmeier (Red Hat).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9165",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-07T14:00:57.848857Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-07T14:01:10.575Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:advanced_cluster_security:4.11::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "advanced-cluster-security/rhacs-main-rhel9",
              "product": "Red Hat Advanced Cluster Security for Kubernetes 4.11",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1783352589",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:advanced_cluster_security:4.9::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "advanced-cluster-security/rhacs-main-rhel8",
              "product": "Red Hat Advanced Cluster Security for Kubernetes 4.9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1783357116",
                  "versionType": "rpm"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was discovered by Moritz Clasmeier (Red Hat)."
            }
          ],
          "datePublic": "2026-07-06T08:38:30.568Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central, resulting in a denial of service for the management plane."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T18:37:46.748Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:36207",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:36207"
            },
            {
              "name": "RHSA-2026:36319",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:36319"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-9165"
            },
            {
              "name": "RHBZ#2480505",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480505"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-21T00:00:00.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-07-06T08:38:30.568Z",
              "value": "Made public."
            }
          ],
          "title": "Stackrox: stackrox: unbounded graphql query depth allows authenticated denial of service",
          "workarounds": [
            {
              "lang": "en",
              "value": "There is no complete mitigation other than installing the update once\navailable."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-9165",
        "datePublished": "2026-07-06T08:46:22.139Z",
        "dateReserved": "2026-05-21T12:54:16.202Z",
        "dateUpdated": "2026-07-07T18:37:46.748Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }