A misconfigured ClusterRoleBinding in the OpenShift Pipelines operator lets any authenticated cluster user tamper with workload scheduling and overwrite TLS secrets, including the default ingress certificate.
What Is It
CVE-2026-10840 is a critical (CVSS 9.6) authorization flaw in the OpenShift Pipelines operator, classified as CWE-732 (Incorrect Permission Assignment for Critical Resource). The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources through the tekton-scheduler-role ClusterRole. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H) reflects a network-reachable, low-complexity attack requiring only basic authenticated access, with scope change and high impact to integrity and availability.
Why It Matters
Because the binding extends to the system:authenticated group, the bar for exploitation is simply having any valid credential on the cluster; no elevated role, no user interaction. On clusters where Kueue or cert-manager CRDs are present, an attacker can:
- Disrupt workload scheduling across the cluster
- Tamper with scheduling priorities
- Delete other tenants'
Workloadobjects, breaking multi-tenant isolation - Induce cert-manager to overwrite TLS Secrets, including the default ingress controller certificate: opening the door to broad TLS-level disruption or interception scenarios
The scope change in the CVSS vector reflects exactly this: an authenticated identity in one tenant boundary can reach beyond it.
What's Vulnerable
- OpenShift Pipelines operator deployments where the
tekton-scheduler-rolebindingClusterRoleBinding exists - Clusters where Kueue or cert-manager CRDs are installed alongside the operator
The NVD record does not enumerate specific affected version CPEs at this time (status: Received). Refer to the Red Hat advisory for authoritative version data as it is published.
Patch Status
The CVE is freshly published (2026-06-04, vulnStatus: Received) and is not listed in the CISA KEV catalog at this time; no confirmation of active exploitation in the wild. Red Hat is the assigning CNA; check the Red Hat Security advisory and the linked Bugzilla entry for fixed operator versions and any interim mitigations (e.g., restricting or removing the offending ClusterRoleBinding on affected clusters).