Red Hat Product Errata RHSA-2026:16542 - Security Advisory
Issued:
2026-05-12
Updated:
2026-05-12

RHSA-2026:16542 - Security Advisory

Synopsis

Kiali 2.22.3 for Red Hat OpenShift Service Mesh 3.3

Type/Severity

Security Advisory: Important

Topic

Kiali 2.22.3 for Red Hat OpenShift Service Mesh 3.3 is now available.
An update is now available for Red Hat OpenShift Service Mesh 3.3. This advisory contains the RPM packages for the Kiali component.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Kiali 2.22.3, for Red Hat OpenShift Service Mesh 3.3, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.

Security Fix(es):

  • CVE-2026-32280 Go: Denial of Service vulnerability in certificate chain building (OSSM-13286)
  • CVE-2026-40895 follow-redirects: Information disclosure via cross-domain redirects (OSSM-13557, OSSM-13561)
  • CVE-2026-42033 Axios: HTTP Transport Hijacking via Prototype Pollution (OSSM-13694, OSSM-13698)
  • CVE-2026-42035 Axios: Arbitrary HTTP header injection via prototype pollution (OSSM-13606, OSSM-13607)
  • CVE-2026-42043 Axios: NO_PROXY bypass via crafted URL (OSSM-13716, OSSM-13720)
  • CVE-2026-42039 Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data (OSSM-13730, OSSM-13734)
  • CVE-2026-42041 Axios: Authentication bypass due to prototype pollution of HTTP error handling (OSSM-13744, OSSM-13748)
  • CVE-2026-42044 Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget (OSSM-13786, OSSM-13787)

Bug Fix(es):

  • OSSM-13773 OSSMC MTLS icon is not working

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Fixes

amd64

registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b
registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297
registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc
registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff

arm64

registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1
registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd
registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45

ppc64le

registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f
registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc
registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1

s390x

registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e
registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26
registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.