Vulnerability-Lookup

RHSA-2026:18584

Vulnerability from csaf_redhat - Published: 2026-05-19 07:44 - Updated: 2026-05-19 10:47

Summary

Red Hat Security Advisory: Assisted Installer RHEL 8 components for Multicluster Engine for Kubernetes 2.9.4

Severity

Important

Notes

Topic: Assisted installer RHEL 8 components for the multicluster engine for Kubernetes 2.9.4 General Availability release, with updates to container images.

Details: Assisted Installer RHEL 8 integrates components for the general multicluster engine for Kubernetes 2.9.4 release that simplify the process of deploying OpenShift Container Platform clusters. The multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters, or to import existing Kubernetes-based clusters for management. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-7163

A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. The credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace. The affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected. This issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode. Successful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters.

6.1 (Medium)


                        
                          CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

CWE-312 - Cleartext Storage of Sensitive Information

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:1a5ec032ec4d4833e2cd038ee1063479583d0c22d9e080b5394d2135ce35369f_ppc64le	—	Vendor Fix fix
Unresolved product id: multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9f73c8b0303fb8f6e392bbe25815c019dbc69c69f193bb6257bd6c1116f1cf50_s390x	—	Vendor Fix fix
Unresolved product id: multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fc440baf4dbd00fc403741f3724ee36e5da716e41b775ac0ed4f8048971d10a6_amd64	—	Vendor Fix fix
Unresolved product id: multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fec24ce70e2d31f2f21761cdef6cdc3ea6a62e98951c73a7a3eb6ef6720da01b_arm64	—	Vendor Fix fix

Threats

Impact Important

CVE-2026-34986

A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-131 - Incorrect Calculation of Buffer Size

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:1a5ec032ec4d4833e2cd038ee1063479583d0c22d9e080b5394d2135ce35369f_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9f73c8b0303fb8f6e392bbe25815c019dbc69c69f193bb6257bd6c1116f1cf50_s390x	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fc440baf4dbd00fc403741f3724ee36e5da716e41b775ac0ed4f8048971d10a6_amd64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fec24ce70e2d31f2f21761cdef6cdc3ea6a62e98951c73a7a3eb6ef6720da01b_arm64	—	Vendor Fix fix Workaround

Threats

Impact Important

References

15 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:18584	self
https://access.redhat.com/security/cve/CVE-2026-34986	external
https://access.redhat.com/security/cve/CVE-2026-7163	external
https://access.redhat.com/security/updates/classi…	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-7163	self
https://bugzilla.redhat.com/show_bug.cgi?id=2463152	external
https://www.cve.org/CVERecord?id=CVE-2026-7163	external
https://nvd.nist.gov/vuln/detail/CVE-2026-7163	external
https://access.redhat.com/security/cve/CVE-2026-34986	self
https://bugzilla.redhat.com/show_bug.cgi?id=2455470	external
https://www.cve.org/CVERecord?id=CVE-2026-34986	external
https://nvd.nist.gov/vuln/detail/CVE-2026-34986	external
https://github.com/go-jose/go-jose/security/advis…	external
https://pkg.go.dev/github.com/go-jose/go-jose/v4#…	external

Acknowledgments

Red Hat Omer Vishlitzky Nick Carboni Riccardo Piccoli

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Assisted installer RHEL 8 components for the multicluster engine for Kubernetes 2.9.4 General Availability release, with updates to container images.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Assisted Installer RHEL 8 integrates components for the general multicluster engine\nfor Kubernetes 2.9.4 release that simplify the process of deploying OpenShift Container\nPlatform clusters.\n\nThe multicluster engine for Kubernetes provides the foundational components\nthat are necessary for the centralized management of multiple\nKubernetes-based clusters across data centers, public clouds, and private\nclouds.\n\nYou can use the engine to create new Red Hat OpenShift Container Platform\nclusters, or to import existing Kubernetes-based clusters for management.\n\nAfter the clusters are managed, you can use the APIs that\nare provided by the engine to distribute configuration based on placement\npolicy.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:18584",
        "url": "https://access.redhat.com/errata/RHSA-2026:18584"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-34986",
        "url": "https://access.redhat.com/security/cve/CVE-2026-34986"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-7163",
        "url": "https://access.redhat.com/security/cve/CVE-2026-7163"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_18584.json"
      }
    ],
    "title": "Red Hat Security Advisory: Assisted Installer RHEL 8 components for Multicluster Engine for Kubernetes 2.9.4",
    "tracking": {
      "current_release_date": "2026-05-19T10:47:58+00:00",
      "generator": {
        "date": "2026-05-19T10:47:58+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.0"
        }
      },
      "id": "RHSA-2026:18584",
      "initial_release_date": "2026-05-19T07:44:17+00:00",
      "revision_history": [
        {
          "date": "2026-05-19T07:44:17+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-05-19T07:44:19+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-19T10:47:58+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "multicluster engine for Kubernetes 2.9",
                "product": {
                  "name": "multicluster engine for Kubernetes 2.9",
                  "product_id": "multicluster engine for Kubernetes 2.9",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:multicluster_engine:2.9::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "multicluster engine for Kubernetes"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fc440baf4dbd00fc403741f3724ee36e5da716e41b775ac0ed4f8048971d10a6_amd64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fc440baf4dbd00fc403741f3724ee36e5da716e41b775ac0ed4f8048971d10a6_amd64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fc440baf4dbd00fc403741f3724ee36e5da716e41b775ac0ed4f8048971d10a6_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-8-rhel8@sha256%3Afc440baf4dbd00fc403741f3724ee36e5da716e41b775ac0ed4f8048971d10a6?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778464111"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fec24ce70e2d31f2f21761cdef6cdc3ea6a62e98951c73a7a3eb6ef6720da01b_arm64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fec24ce70e2d31f2f21761cdef6cdc3ea6a62e98951c73a7a3eb6ef6720da01b_arm64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fec24ce70e2d31f2f21761cdef6cdc3ea6a62e98951c73a7a3eb6ef6720da01b_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-8-rhel8@sha256%3Afec24ce70e2d31f2f21761cdef6cdc3ea6a62e98951c73a7a3eb6ef6720da01b?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778464111"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:1a5ec032ec4d4833e2cd038ee1063479583d0c22d9e080b5394d2135ce35369f_ppc64le",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:1a5ec032ec4d4833e2cd038ee1063479583d0c22d9e080b5394d2135ce35369f_ppc64le",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:1a5ec032ec4d4833e2cd038ee1063479583d0c22d9e080b5394d2135ce35369f_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-8-rhel8@sha256%3A1a5ec032ec4d4833e2cd038ee1063479583d0c22d9e080b5394d2135ce35369f?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778464111"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9f73c8b0303fb8f6e392bbe25815c019dbc69c69f193bb6257bd6c1116f1cf50_s390x",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9f73c8b0303fb8f6e392bbe25815c019dbc69c69f193bb6257bd6c1116f1cf50_s390x",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9f73c8b0303fb8f6e392bbe25815c019dbc69c69f193bb6257bd6c1116f1cf50_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-8-rhel8@sha256%3A9f73c8b0303fb8f6e392bbe25815c019dbc69c69f193bb6257bd6c1116f1cf50?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778464111"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:1a5ec032ec4d4833e2cd038ee1063479583d0c22d9e080b5394d2135ce35369f_ppc64le as a component of multicluster engine for Kubernetes 2.9",
          "product_id": "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:1a5ec032ec4d4833e2cd038ee1063479583d0c22d9e080b5394d2135ce35369f_ppc64le"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:1a5ec032ec4d4833e2cd038ee1063479583d0c22d9e080b5394d2135ce35369f_ppc64le",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9f73c8b0303fb8f6e392bbe25815c019dbc69c69f193bb6257bd6c1116f1cf50_s390x as a component of multicluster engine for Kubernetes 2.9",
          "product_id": "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9f73c8b0303fb8f6e392bbe25815c019dbc69c69f193bb6257bd6c1116f1cf50_s390x"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9f73c8b0303fb8f6e392bbe25815c019dbc69c69f193bb6257bd6c1116f1cf50_s390x",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fc440baf4dbd00fc403741f3724ee36e5da716e41b775ac0ed4f8048971d10a6_amd64 as a component of multicluster engine for Kubernetes 2.9",
          "product_id": "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fc440baf4dbd00fc403741f3724ee36e5da716e41b775ac0ed4f8048971d10a6_amd64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fc440baf4dbd00fc403741f3724ee36e5da716e41b775ac0ed4f8048971d10a6_amd64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fec24ce70e2d31f2f21761cdef6cdc3ea6a62e98951c73a7a3eb6ef6720da01b_arm64 as a component of multicluster engine for Kubernetes 2.9",
          "product_id": "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fec24ce70e2d31f2f21761cdef6cdc3ea6a62e98951c73a7a3eb6ef6720da01b_arm64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fec24ce70e2d31f2f21761cdef6cdc3ea6a62e98951c73a7a3eb6ef6720da01b_arm64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.9"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Omer Vishlitzky",
            "Nick Carboni",
            "Riccardo Piccoli"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2026-7163",
      "cwe": {
        "id": "CWE-312",
        "name": "Cleartext Storage of Sensitive Information"
      },
      "discovery_date": "2026-04-27T04:18:06.534000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2463152"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. \n\nThe credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace.\n\nThe affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected.\nThis issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode.\n\nSuccessful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "assisted-service: assisted-service: Authenticated users can gain administrative access to OpenShift clusters via credential disclosure",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an Important vulnerability affecting on-premises deployments of Multicluster Engine (MCE) and Red Hat Advanced Cluster Management (ACM). An authenticated user with namespace-scoped privileges can exploit a flaw in the `assisted-service` REST API to retrieve administrative credentials for OpenShift clusters provisioned through the hub. This grants unrestricted root-level administrative access to affected spoke clusters, stemming from the `AUTH_TYPE=local` mode\u0027s unconditional administrative access with a valid local JWT, which is exposed in plaintext.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:1a5ec032ec4d4833e2cd038ee1063479583d0c22d9e080b5394d2135ce35369f_ppc64le",
          "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9f73c8b0303fb8f6e392bbe25815c019dbc69c69f193bb6257bd6c1116f1cf50_s390x",
          "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fc440baf4dbd00fc403741f3724ee36e5da716e41b775ac0ed4f8048971d10a6_amd64",
          "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fec24ce70e2d31f2f21761cdef6cdc3ea6a62e98951c73a7a3eb6ef6720da01b_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-7163"
        },
        {
          "category": "external",
          "summary": "RHBZ#2463152",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463152"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-7163",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-7163"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7163",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7163"
        }
      ],
      "release_date": "2026-04-30T12:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-19T07:44:17+00:00",
          "details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.14/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.14/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.14.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:1a5ec032ec4d4833e2cd038ee1063479583d0c22d9e080b5394d2135ce35369f_ppc64le",
            "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9f73c8b0303fb8f6e392bbe25815c019dbc69c69f193bb6257bd6c1116f1cf50_s390x",
            "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fc440baf4dbd00fc403741f3724ee36e5da716e41b775ac0ed4f8048971d10a6_amd64",
            "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fec24ce70e2d31f2f21761cdef6cdc3ea6a62e98951c73a7a3eb6ef6720da01b_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:18584"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:1a5ec032ec4d4833e2cd038ee1063479583d0c22d9e080b5394d2135ce35369f_ppc64le",
            "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9f73c8b0303fb8f6e392bbe25815c019dbc69c69f193bb6257bd6c1116f1cf50_s390x",
            "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fc440baf4dbd00fc403741f3724ee36e5da716e41b775ac0ed4f8048971d10a6_amd64",
            "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fec24ce70e2d31f2f21761cdef6cdc3ea6a62e98951c73a7a3eb6ef6720da01b_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "assisted-service: assisted-service: Authenticated users can gain administrative access to OpenShift clusters via credential disclosure"
    },
    {
      "cve": "CVE-2026-34986",
      "cwe": {
        "id": "CWE-131",
        "name": "Incorrect Calculation of Buffer Size"
      },
      "discovery_date": "2026-04-06T17:01:34.639203+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2455470"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:1a5ec032ec4d4833e2cd038ee1063479583d0c22d9e080b5394d2135ce35369f_ppc64le",
          "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9f73c8b0303fb8f6e392bbe25815c019dbc69c69f193bb6257bd6c1116f1cf50_s390x",
          "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fc440baf4dbd00fc403741f3724ee36e5da716e41b775ac0ed4f8048971d10a6_amd64",
          "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fec24ce70e2d31f2f21761cdef6cdc3ea6a62e98951c73a7a3eb6ef6720da01b_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "RHBZ#2455470",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-34986",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
          "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
          "url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
        }
      ],
      "release_date": "2026-04-06T16:22:45.353000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-19T07:44:17+00:00",
          "details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.14/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.14/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.14.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:1a5ec032ec4d4833e2cd038ee1063479583d0c22d9e080b5394d2135ce35369f_ppc64le",
            "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9f73c8b0303fb8f6e392bbe25815c019dbc69c69f193bb6257bd6c1116f1cf50_s390x",
            "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fc440baf4dbd00fc403741f3724ee36e5da716e41b775ac0ed4f8048971d10a6_amd64",
            "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fec24ce70e2d31f2f21761cdef6cdc3ea6a62e98951c73a7a3eb6ef6720da01b_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:18584"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:1a5ec032ec4d4833e2cd038ee1063479583d0c22d9e080b5394d2135ce35369f_ppc64le",
            "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9f73c8b0303fb8f6e392bbe25815c019dbc69c69f193bb6257bd6c1116f1cf50_s390x",
            "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fc440baf4dbd00fc403741f3724ee36e5da716e41b775ac0ed4f8048971d10a6_amd64",
            "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fec24ce70e2d31f2f21761cdef6cdc3ea6a62e98951c73a7a3eb6ef6720da01b_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:1a5ec032ec4d4833e2cd038ee1063479583d0c22d9e080b5394d2135ce35369f_ppc64le",
            "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9f73c8b0303fb8f6e392bbe25815c019dbc69c69f193bb6257bd6c1116f1cf50_s390x",
            "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fc440baf4dbd00fc403741f3724ee36e5da716e41b775ac0ed4f8048971d10a6_amd64",
            "multicluster engine for Kubernetes 2.9:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:fec24ce70e2d31f2f21761cdef6cdc3ea6a62e98951c73a7a3eb6ef6720da01b_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object"
    }
  ]
}

CVE-2026-7163 (GCVE-0-2026-7163)

Vulnerability from cvelistv5 – Published: 2026-04-30 13:18 – Updated: 2026-05-19 08:09

Title

Assisted-service: assisted-service: authenticated users can gain administrative access to openshift clusters via credential disclosure

Summary

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

CWE

CWE-312 - Cleartext Storage of Sensitive Information

Assigner

redhat

References

8 references

URL	Tags
https://access.redhat.com/errata/RHSA-2026:11511	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:11512	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:12116	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:12337	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:18584	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:18585	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-7163	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2463152	issue-trackingx_refsource_REDHAT

Impacted products

6 products

Vendor	Product	Version
Red Hat	multicluster engine for Kubernetes 2.10	Unaffected: 1776983527 , < * (rpm) cpe:/a:redhat:multicluster_engine:2.10::el9
Red Hat	multicluster engine for Kubernetes 2.11	Unaffected: 1776987609 , < * (rpm) cpe:/a:redhat:multicluster_engine:2.11::el9
Red Hat	multicluster engine for Kubernetes 2.7	Unaffected: 1777205801 , < * (rpm) cpe:/a:redhat:multicluster_engine:2.7::el8
Red Hat	multicluster engine for Kubernetes 2.7	Unaffected: 1777205772 , < * (rpm) cpe:/a:redhat:multicluster_engine:2.7::el9
Red Hat	multicluster engine for Kubernetes 2.9	Unaffected: 1778464111 , < * (rpm) cpe:/a:redhat:multicluster_engine:2.9::el8
Red Hat	multicluster engine for Kubernetes 2.9	Unaffected: 1778464072 , < * (rpm) cpe:/a:redhat:multicluster_engine:2.9::el9

Date Public ?

2026-04-30 12:00

Credits

This issue was discovered by Nick Carboni (Red Hat), Omer Vishlitzky (Red Hat), and Riccardo Piccoli (Red Hat).

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-7163",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-30T13:35:04.958346Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-30T13:35:15.598Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:multicluster_engine:2.10::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "multicluster-engine/assisted-service-9-rhel9",
          "product": "multicluster engine for Kubernetes 2.10",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1776983527",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:multicluster_engine:2.11::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "multicluster-engine/assisted-service-9-rhel9",
          "product": "multicluster engine for Kubernetes 2.11",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1776987609",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:multicluster_engine:2.7::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "multicluster-engine/assisted-service-8-rhel8",
          "product": "multicluster engine for Kubernetes 2.7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1777205801",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:multicluster_engine:2.7::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "multicluster-engine/assisted-service-9-rhel9",
          "product": "multicluster engine for Kubernetes 2.7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1777205772",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:multicluster_engine:2.9::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "multicluster-engine/assisted-service-8-rhel8",
          "product": "multicluster engine for Kubernetes 2.9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1778464111",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:multicluster_engine:2.9::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "multicluster-engine/assisted-service-9-rhel9",
          "product": "multicluster engine for Kubernetes 2.9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1778464072",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was discovered by Nick Carboni (Red Hat), Omer Vishlitzky (Red Hat), and Riccardo Piccoli (Red Hat)."
        }
      ],
      "datePublic": "2026-04-30T12:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. \n\nThe credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace.\n\nThe affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected.\nThis issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode.\n\nSuccessful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-312",
              "description": "Cleartext Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-19T08:09:21.769Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2026:11511",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:11511"
        },
        {
          "name": "RHSA-2026:11512",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:11512"
        },
        {
          "name": "RHSA-2026:12116",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:12116"
        },
        {
          "name": "RHSA-2026:12337",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:12337"
        },
        {
          "name": "RHSA-2026:18584",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:18584"
        },
        {
          "name": "RHSA-2026:18585",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:18585"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-7163"
        },
        {
          "name": "RHBZ#2463152",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463152"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-27T04:18:06.534Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-04-30T12:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Assisted-service: assisted-service: authenticated users can gain administrative access to openshift clusters via credential disclosure",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-312: Cleartext Storage of Sensitive Information"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-7163",
    "datePublished": "2026-04-30T13:18:49.088Z",
    "dateReserved": "2026-04-27T04:21:23.911Z",
    "dateUpdated": "2026-05-19T08:09:21.769Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34986 (GCVE-0-2026-34986)

Vulnerability from cvelistv5 – Published: 2026-04-06 16:22 – Updated: 2026-04-07 14:21

Title

Go JOSE affect by a panic in JWE decryption

Summary

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-248 - Uncaught Exception

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/go-jose/go-jose/security/advis…	x_refsource_CONFIRM
https://pkg.go.dev/github.com/go-jose/go-jose/v4#…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
go-jose	go-jose	Affected: >= 4.0.0, < 4.1.4 Affected: < 3.0.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34986",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T14:21:42.477191Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T14:21:54.041Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "go-jose",
          "vendor": "go-jose",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.1.4"
            },
            {
              "status": "affected",
              "version": "\u003c 3.0.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "CWE-248: Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-06T16:22:45.353Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
        },
        {
          "name": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
        }
      ],
      "source": {
        "advisory": "GHSA-78h2-9frx-2jm8",
        "discovery": "UNKNOWN"
      },
      "title": "Go JOSE affect by a panic in JWE decryption"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34986",
    "datePublished": "2026-04-06T16:22:45.353Z",
    "dateReserved": "2026-03-31T19:38:31.617Z",
    "dateUpdated": "2026-04-07T14:21:54.041Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:18584

CVE-2026-7163 (GCVE-0-2026-7163)

CVE-2026-34986 (GCVE-0-2026-34986)

Tags

Sightings

Nomenclature