CVE-2026-4740

🗓️ 07 Apr 2026 14:30:36Reported by redhatType

Open Cluster Management flaw enables cross-cluster escalation due to improper Kubernetes client certificate renewal validation.

Reporter	Title	Published	Views	Family All 13
ATTACKERKB	CVE-2026-4740	7 Apr 202614:30	–	attackerkb
Circl	CVE-2026-4740	7 Apr 202615:26	–	circl
CNNVD	Red Hat rhacm2 信任管理问题漏洞	7 Apr 202600:00	–	cnnvd
Cvelist	CVE-2026-4740 Rhacm: open cluster management (ocm): cross-cluster privilege escalation via improper kubernetes client certificate renewal validation	7 Apr 202614:30	–	cvelist
EUVD	EUVD-2026-19690	7 Apr 202615:30	–	euvd
Github Security Blog	Open Cluster Management (OCM): Cross-cluster privilege escalation via improper Kubernetes client certificate renewal validation	7 Apr 202615:30	–	github
NVD	CVE-2026-4740	7 Apr 202615:17	–	nvd
OSV	GHSA-Q4GV-PJMH-C735 Open Cluster Management (OCM): Cross-cluster privilege escalation via improper Kubernetes client certificate renewal validation	7 Apr 202615:30	–	osv
Positive Technologies	PT-2026-30871	7 Apr 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-4740	7 Apr 202614:13	–	redhatcve

NVD

Node

redhat advanced_cluster_management_for_kubernetesMatch-

[
  {
    "vendor": "Red Hat",
    "product": "Multicluster Engine for Kubernetes",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "multicluster-engine/addon-manager-rhel9",
    "defaultStatus": "unknown",
    "cpes": [
      "cpe:/a:redhat:multicluster_engine"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Multicluster Engine for Kubernetes",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "multicluster-engine/managedcluster-import-controller-rhel9",
    "defaultStatus": "unknown",
    "cpes": [
      "cpe:/a:redhat:multicluster_engine"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Multicluster Engine for Kubernetes",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "multicluster-engine/placement-rhel9",
    "defaultStatus": "unknown",
    "cpes": [
      "cpe:/a:redhat:multicluster_engine"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Multicluster Engine for Kubernetes",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "multicluster-engine/registration-operator-rhel9",
    "defaultStatus": "unknown",
    "cpes": [
      "cpe:/a:redhat:multicluster_engine"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Multicluster Engine for Kubernetes",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "multicluster-engine/registration-rhel9",
    "defaultStatus": "unknown",
    "cpes": [
      "cpe:/a:redhat:multicluster_engine"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Multicluster Engine for Kubernetes",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "multicluster-engine/work-rhel9",
    "defaultStatus": "unknown",
    "cpes": [
      "cpe:/a:redhat:multicluster_engine"
    ]
  }
]

Source	Link
access	www.access.redhat.com/security/cve/CVE-2026-4740
blog	www.blog.arfevrier.fr/open-cluster-management-cross-cluster-escape/
bugzilla	www.bugzilla.redhat.com/show_bug.cgi

28 May 2026 13:25Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.18.2

EPSS0.00012

SSVC

CWE-295