RHSA-2026:16535
Vulnerability from csaf_redhat - Published: 2026-05-12 21:06 - Updated: 2026-05-15 21:06Summary
Red Hat Security Advisory: Kiali 2.17.7 for Red Hat OpenShift Service Mesh 3.2
Severity
Important
Notes
Topic: Kiali 2.17.7 for Red Hat OpenShift Service Mesh 3.2 is now available.
An update is now available for Red Hat OpenShift Service Mesh 3.2. This advisory contains the RPM packages for the Kiali component.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Kiali 2.17.7, for Red Hat OpenShift Service Mesh 3.2, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.
Security Fix(es):
* CVE-2026-32280 Go: Denial of Service vulnerability in certificate chain building (OSSM-13248)
* CVE-2026-40895 follow-redirects: Information disclosure via cross-domain redirects (OSSM-13556, OSSM-13560)
* CVE-2026-42033 Axios: HTTP Transport Hijacking via Prototype Pollution (OSSM-13693, OSSM-13697)
* CVE-2026-42035 Axios: Arbitrary HTTP header injection via prototype pollution (OSSM-13604, OSSM-13605)
* CVE-2026-42043 Axios: NO_PROXY bypass via crafted URL (OSSM-13715, OSSM-13719)
* CVE-2026-42039 Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data (OSSM-13729, OSSM-13733)
* CVE-2026-42041 Axios: Authentication bypass due to prototype pollution of HTTP error handling (OSSM-13743, OSSM-13747)
* CVE-2026-42044 Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget (OSSM-13784, OSSM-13785)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64 | — | ||
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64 | — | ||
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x | — | ||
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le | — |
Threats
Impact
Important
A flaw was found in follow-redirects. When an HTTP request follows a cross-domain redirect (a redirection to a different domain), custom authentication headers, such as X-API-Key or X-Auth-Token, are not properly stripped. This allows these sensitive headers to be forwarded verbatim to the redirect target, potentially leading to the unintended disclosure of authentication information to an untrusted third party.
7.5 (High)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Axios, an HTTP client library. This vulnerability allows an attacker to exploit a prototype pollution issue if another part of the application has already polluted the Object.prototype. By doing so, the attacker can intercept and modify JSON responses or take control of the HTTP communication. This could lead to unauthorized access to sensitive information like user credentials and request details.
7.4 (High)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application's core object definitions are manipulated, causing Axios to misinterpret data and include attacker-controlled headers in network communications. This could lead to unauthorized actions or data manipulation.
7.4 (High)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Axios, a promise-based HTTP client for browsers and Node.js. This vulnerability occurs because the `toFormData` function recursively processes nested objects without a depth limit. A remote attacker can exploit this by sending deeply nested request data, which causes the Node.js process to crash due to a RangeError, leading to a potential Denial of Service (DoS) if the process crashes.
7.5 (High)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Axios, a promise-based HTTP client. This vulnerability, a Prototype Pollution "Gadget" attack, allows an attacker to manipulate the `Object.prototype.validateStatus` property. By polluting this property, all HTTP error responses (such as 401, 403, or 500) are silently treated as successful responses. This can lead to a complete bypass of application-level authentication and error handling, potentially granting unauthorized access.
8.2 (High)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Axios, a promise-based HTTP client. An attacker who can control the destination address of an Axios request can exploit this vulnerability. By using specific internal network addresses (within the 127.0.0.0/8 range, excluding 127.0.0.1), the attacker can completely bypass the NO_PROXY protection, potentially leading to unauthorized access or information disclosure within the network. This issue is an incomplete fix for a previous vulnerability.
7.2 (High)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Axios, a widely used HTTP client. This vulnerability, known as a Prototype Pollution "Gadget" attack, allows a remote attacker to subtly alter JSON API responses. By manipulating a specific function, an attacker can selectively modify data within these responses. This could lead to significant security breaches, including unauthorized privilege escalation, fraudulent balance manipulation, or bypassing critical authorization checks.
7.4 (High)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
63 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Kiali 2.17.7 for Red Hat OpenShift Service Mesh 3.2 is now available.\nAn update is now available for Red Hat OpenShift Service Mesh 3.2. This advisory contains the RPM packages for the Kiali component.\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Kiali 2.17.7, for Red Hat OpenShift Service Mesh 3.2, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.\n\nSecurity Fix(es):\n\n* CVE-2026-32280 Go: Denial of Service vulnerability in certificate chain building (OSSM-13248)\n* CVE-2026-40895 follow-redirects: Information disclosure via cross-domain redirects (OSSM-13556, OSSM-13560)\n* CVE-2026-42033 Axios: HTTP Transport Hijacking via Prototype Pollution (OSSM-13693, OSSM-13697)\n* CVE-2026-42035 Axios: Arbitrary HTTP header injection via prototype pollution (OSSM-13604, OSSM-13605)\n* CVE-2026-42043 Axios: NO_PROXY bypass via crafted URL (OSSM-13715, OSSM-13719)\n* CVE-2026-42039 Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data (OSSM-13729, OSSM-13733)\n* CVE-2026-42041 Axios: Authentication bypass due to prototype pollution of HTTP error handling (OSSM-13743, OSSM-13747)\n* CVE-2026-42044 Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget (OSSM-13784, OSSM-13785)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:16535",
"url": "https://access.redhat.com/errata/RHSA-2026:16535"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-62718",
"url": "https://access.redhat.com/security/cve/CVE-2025-62718"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-25679",
"url": "https://access.redhat.com/security/cve/CVE-2026-25679"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-29063",
"url": "https://access.redhat.com/security/cve/CVE-2026-29063"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-29074",
"url": "https://access.redhat.com/security/cve/CVE-2026-29074"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32280",
"url": "https://access.redhat.com/security/cve/CVE-2026-32280"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33186",
"url": "https://access.redhat.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-34986",
"url": "https://access.redhat.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-40175",
"url": "https://access.redhat.com/security/cve/CVE-2026-40175"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-40895",
"url": "https://access.redhat.com/security/cve/CVE-2026-40895"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42033",
"url": "https://access.redhat.com/security/cve/CVE-2026-42033"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42035",
"url": "https://access.redhat.com/security/cve/CVE-2026-42035"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42039",
"url": "https://access.redhat.com/security/cve/CVE-2026-42039"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42041",
"url": "https://access.redhat.com/security/cve/CVE-2026-42041"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42043",
"url": "https://access.redhat.com/security/cve/CVE-2026-42043"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42044",
"url": "https://access.redhat.com/security/cve/CVE-2026-42044"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-4800",
"url": "https://access.redhat.com/security/cve/CVE-2026-4800"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification",
"url": "https://access.redhat.com/security/updates/classification"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_16535.json"
}
],
"title": "Red Hat Security Advisory: Kiali 2.17.7 for Red Hat OpenShift Service Mesh 3.2",
"tracking": {
"current_release_date": "2026-05-15T21:06:34+00:00",
"generator": {
"date": "2026-05-15T21:06:34+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2026:16535",
"initial_release_date": "2026-05-12T21:06:57+00:00",
"revision_history": [
{
"date": "2026-05-12T21:06:57+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-05-12T21:07:03+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-15T21:06:34+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 3.2",
"product": {
"name": "Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:3.2::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778163909"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Aaf21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778163792"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778163909"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778163792"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778163909"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Acc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778163792"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Af8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778163909"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Ab4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778163792"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32280",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-04-08T02:01:19.572351+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456339"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32280"
},
{
"category": "external",
"summary": "RHBZ#2456339",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32280",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32280"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"category": "external",
"summary": "https://go.dev/cl/758320",
"url": "https://go.dev/cl/758320"
},
{
"category": "external",
"summary": "https://go.dev/issue/78282",
"url": "https://go.dev/issue/78282"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4947",
"url": "https://pkg.go.dev/vuln/GO-2026-4947"
}
],
"release_date": "2026-04-08T01:06:58.595000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-12T21:06:57+00:00",
"details": "See Kiali 2.17.7 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:16535"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building"
},
{
"cve": "CVE-2026-40895",
"cwe": {
"id": "CWE-212",
"name": "Improper Removal of Sensitive Information Before Storage or Transfer"
},
"discovery_date": "2026-04-21T21:02:33.280553+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2460297"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in follow-redirects. When an HTTP request follows a cross-domain redirect (a redirection to a different domain), custom authentication headers, such as X-API-Key or X-Auth-Token, are not properly stripped. This allows these sensitive headers to be forwarded verbatim to the redirect target, potentially leading to the unintended disclosure of authentication information to an untrusted third party.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "follow-redirects: follow-redirects: Information disclosure via cross-domain redirects",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-40895"
},
{
"category": "external",
"summary": "RHBZ#2460297",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460297"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-40895",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40895"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40895",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40895"
},
{
"category": "external",
"summary": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653",
"url": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653"
}
],
"release_date": "2026-04-21T19:59:59.759000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-12T21:06:57+00:00",
"details": "See Kiali 2.17.7 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:16535"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "follow-redirects: follow-redirects: Information disclosure via cross-domain redirects"
},
{
"cve": "CVE-2026-42033",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-04-24T18:01:20.937507+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461607"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, an HTTP client library. This vulnerability allows an attacker to exploit a prototype pollution issue if another part of the application has already polluted the Object.prototype. By doing so, the attacker can intercept and modify JSON responses or take control of the HTTP communication. This could lead to unauthorized access to sensitive information like user credentials and request details.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: HTTP Transport Hijacking via Prototype Pollution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42033"
},
{
"category": "external",
"summary": "RHBZ#2461607",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461607"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42033",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42033"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42033",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42033"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf",
"url": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf"
}
],
"release_date": "2026-04-24T17:36:44.132000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-12T21:06:57+00:00",
"details": "See Kiali 2.17.7 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:16535"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: HTTP Transport Hijacking via Prototype Pollution"
},
{
"cve": "CVE-2026-42035",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-04-24T18:01:17.109481+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461606"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application\u0027s core object definitions are manipulated, causing Axios to misinterpret data and include attacker-controlled headers in network communications. This could lead to unauthorized actions or data manipulation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Arbitrary HTTP header injection via prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42035"
},
{
"category": "external",
"summary": "RHBZ#2461606",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461606"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42035",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42035"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42035",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42035"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9",
"url": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9"
}
],
"release_date": "2026-04-24T17:38:07.752000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-12T21:06:57+00:00",
"details": "See Kiali 2.17.7 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:16535"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "axios: Axios: Arbitrary HTTP header injection via prototype pollution"
},
{
"cve": "CVE-2026-42039",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-04-24T19:01:44.887156+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461630"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client for browsers and Node.js. This vulnerability occurs because the `toFormData` function recursively processes nested objects without a depth limit. A remote attacker can exploit this by sending deeply nested request data, which causes the Node.js process to crash due to a RangeError, leading to a potential Denial of Service (DoS) if the process crashes.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42039"
},
{
"category": "external",
"summary": "RHBZ#2461630",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461630"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42039",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42039"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42039",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42039"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9",
"url": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9"
}
],
"release_date": "2026-04-24T18:01:30.775000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-12T21:06:57+00:00",
"details": "See Kiali 2.17.7 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:16535"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data"
},
{
"cve": "CVE-2026-42041",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-04-24T19:01:41.034289+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461629"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability, a Prototype Pollution \"Gadget\" attack, allows an attacker to manipulate the `Object.prototype.validateStatus` property. By polluting this property, all HTTP error responses (such as 401, 403, or 500) are silently treated as successful responses. This can lead to a complete bypass of application-level authentication and error handling, potentially granting unauthorized access.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42041"
},
{
"category": "external",
"summary": "RHBZ#2461629",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461629"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42041",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42041"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42041",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42041"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63",
"url": "https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63"
}
],
"release_date": "2026-04-24T17:55:30.036000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-12T21:06:57+00:00",
"details": "See Kiali 2.17.7 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:16535"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling"
},
{
"cve": "CVE-2026-42043",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2026-04-24T19:01:22.552379+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461626"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. An attacker who can control the destination address of an Axios request can exploit this vulnerability. By using specific internal network addresses (within the 127.0.0.0/8 range, excluding 127.0.0.1), the attacker can completely bypass the NO_PROXY protection, potentially leading to unauthorized access or information disclosure within the network. This issue is an incomplete fix for a previous vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: NO_PROXY bypass via crafted URL",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42043"
},
{
"category": "external",
"summary": "RHBZ#2461626",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461626"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42043",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42043"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42043",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42043"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7",
"url": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7"
}
],
"release_date": "2026-04-24T17:54:42.668000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-12T21:06:57+00:00",
"details": "See Kiali 2.17.7 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:16535"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: NO_PROXY bypass via crafted URL"
},
{
"cve": "CVE-2026-42044",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-04-24T19:01:13.418725+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461624"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a widely used HTTP client. This vulnerability, known as a Prototype Pollution \"Gadget\" attack, allows a remote attacker to subtly alter JSON API responses. By manipulating a specific function, an attacker can selectively modify data within these responses. This could lead to significant security breaches, including unauthorized privilege escalation, fraudulent balance manipulation, or bypassing critical authorization checks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42044"
},
{
"category": "external",
"summary": "RHBZ#2461624",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461624"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42044",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42044"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23",
"url": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23"
}
],
"release_date": "2026-04-24T17:49:49.517000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-12T21:06:57+00:00",
"details": "See Kiali 2.17.7 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:16535"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:670dbb0cdefd1e46fc6919d4b232f88b3e39599b6ea90602476fd84308986bca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:af21dad17afca9999408d97167c950d3b37ccd14e199e8e69c7f1b80a95d536c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b4ba774d9dfa6e96c320cb2da532882a2525567fac9367fd625b26edbc59dfc0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cc913771d88f564060b1562034a5b6dd62842e899f852364d90f4ae4e6c85fd2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0b03493fd9127e224c88e3cc775fdb8e4d6851c07b0cda8220af37f3ea58b817_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:361c90a4629005ec10140af3b719c739de36cf15adb6fb03bffb62eaff9a9a89_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:36a99220c56b2552bbc8c8c6026047b9d1f5dd271ee10c07365faefc06486382_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f8862c4fa112301aa30870c2f6a891acb0e0c55e9da8d5f5dd5e057df72249ee_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…