CVE-2026-10840 Openshift-pipelines-operator-rh: openshift-pipelines-operator: tekton-scheduler-rolebinding grants system:authenticated write access to kueue and cert-manager resources

🗓️ 04 Jun 2026 12:04:42Reported by redhatType

OpenShift Pipelines operator flaw grants system:authenticated write to Kueue and cert-manager CRDs, enabling disruption.

Reporter	Title	Published	Views	Family All 8
ATTACKERKB	CVE-2026-10840	4 Jun 202612:04	–	attackerkb
Circl	CVE-2026-10840	4 Jun 202614:21	–	circl
CVE	CVE-2026-10840	4 Jun 202612:04	–	cve
EUVD	EUVD-2026-34248	4 Jun 202612:04	–	euvd
NVD	CVE-2026-10840	4 Jun 202612:16	–	nvd
Positive Technologies	PT-2026-46191	4 Jun 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-10840	4 Jun 202612:04	–	redhatcve
Vulnrichment	CVE-2026-10840 Openshift-pipelines-operator-rh: openshift-pipelines-operator: tekton-scheduler-rolebinding grants system:authenticated write access to kueue and cert-manager resources	4 Jun 202612:04	–	vulnrichment

[
  {
    "vendor": "Red Hat",
    "product": "Builds for Red Hat OpenShift",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "openshift-builds/openshift-builds-rhel9-operator",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:openshift_builds:1"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "OpenShift Pipelines",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "openshift-pipelines/pipelines-operator-proxy-rhel8",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:openshift_pipelines:1"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "OpenShift Pipelines",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "openshift-pipelines/pipelines-operator-proxy-rhel9",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:openshift_pipelines:1"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "OpenShift Pipelines",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "openshift-pipelines/pipelines-operator-webhook-rhel8",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:openshift_pipelines:1"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "OpenShift Pipelines",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "openshift-pipelines/pipelines-operator-webhook-rhel9",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:openshift_pipelines:1"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "OpenShift Pipelines",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "openshift-pipelines/pipelines-rhel8-operator",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:openshift_pipelines:1"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "OpenShift Pipelines",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "openshift-pipelines/pipelines-rhel9-operator",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:openshift_pipelines:1"
    ]
  }
]

Source	Link
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
access	www.access.redhat.com/security/cve/CVE-2026-10840

09 Jun 2026 08:25Current

CVSS 3.17.1

EPSS0.00024

CWE-732