CVE-2026-7309

🗓️ 28 Apr 2026 12:33:55Reported by redhatType

cve🔗 web.nvd.nist.gov👁 14 Views🌐 WEB

OpenShift edit role can inject env vars into build containers via instantiate, exposing traffic.

Reporter	Title	Published	Views	Family All 8
ATTACKERKB	CVE-2026-7309	28 Apr 202612:33	–	attackerkb
CNNVD	Red Hat OpenShift Container Platform 代码问题漏洞	28 Apr 202600:00	–	cnnvd
Cvelist	CVE-2026-7309 Openshift-controller-manager: openshift container platform: information disclosure via environment variable injection	28 Apr 202612:33	–	cvelist
EUVD	EUVD-2026-26043	28 Apr 202612:33	–	euvd
NVD	CVE-2026-7309	28 Apr 202613:19	–	nvd
Positive Technologies	PT-2026-35719	28 Apr 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-7309	28 Apr 202612:33	–	redhatcve
Vulnrichment	CVE-2026-7309 Openshift-controller-manager: openshift container platform: information disclosure via environment variable injection	28 Apr 202612:33	–	vulnrichment

NVD

Node

redhat openshift_container_platformMatch4.0

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift Container Platform 4",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "openshift4/ose-openshift-controller-manager-rhel9",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:openshift:4"
    ]
  }
]

Source	Link
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
access	www.access.redhat.com/security/cve/CVE-2026-7309

Parameter	Position	Path	Description	CWE
LD_PRELOAD	request body	buildconfigs/instantiate	Injection of arbitrary environment variables into docker-build containers via the buildconfigs/instantiate API leading to information disclosure of build traffic.	CWE-426
http_proxy	request body	buildconfigs/instantiate	Injection of arbitrary environment variables into docker-build containers via the buildconfigs/instantiate API leading to information disclosure of build traffic.	CWE-426

17 Jun 2026 11:02Current

5.5Medium risk

Vulners AI Score5.5

CVSS 3.14.3

EPSS0.00179

SSVC

CWE-426