{ "document" : { "aggregate_severity" : { "namespace" : "https://access.redhat.com/security/updates/classification/", "text" : "Important" }, "category" : "csaf_security_advisory", "csaf_version" : "2.0", "distribution" : { "text" : "Copyright © Red Hat, Inc. All rights reserved.", "tlp" : { "label" : "WHITE", "url" : "https://www.first.org/tlp/" } }, "lang" : "en", "notes" : [ { "category" : "summary", "text" : "zero trust workload identity manager for Red Hat OpenShift 1.0.1", "title" : "Topic" }, { "category" : "general", "text" : "The Zero Trust Workload Identity Manager (ZTWIM) is a day-2 operator. The operator manages lifecycle of operand components from SPIRE project. The goal of ZTWIM is to provide secure, verifiable workload identities for workloads in multi-cloud environments. The operand components automate identity issuance, rotation, and verification, enhancing the zero-trust security model while eliminating static credentials. The current release of zero trust workload identity manager for Red Hat OpenShift is for Technology Preview.", "title" : "Details" }, { "category" : "legal_disclaimer", "text" : "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title" : "Terms of Use" } ], "publisher" : { "category" : "vendor", "contact_details" : "https://access.redhat.com/security/team/contact/", "issuing_authority" : "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name" : "Red Hat Product Security", "namespace" : "https://www.redhat.com" }, "references" : [ { "category" : "self", "summary" : "https://access.redhat.com/errata/RHSA-2026:17460", "url" : "https://access.redhat.com/errata/RHSA-2026:17460" }, { "category" : "external", "summary" : "https://access.redhat.com/security/cve/CVE-2025-61726", "url" : "https://access.redhat.com/security/cve/CVE-2025-61726" }, { "category" : "external", "summary" : "https://access.redhat.com/security/cve/CVE-2026-21441", "url" : "https://access.redhat.com/security/cve/CVE-2026-21441" }, { "category" : "external", "summary" : "https://access.redhat.com/security/updates/classification/", "url" : "https://access.redhat.com/security/updates/classification/" }, { "category" : "external", "summary" : "https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/security_and_compliance/zero-trust-workload-identity-manager", "url" : "https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/security_and_compliance/zero-trust-workload-identity-manager" }, { "category" : "self", "summary" : "Canonical URL", "url" : "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_17460.json" } ], "title" : "Red Hat Security Advisory: zero trust workload identity manager for Red Hat OpenShift 1.0.1", "tracking" : { "current_release_date" : "2026-05-26T05:20:32+00:00", "generator" : { "date" : "2026-05-26T05:20:32+00:00", "engine" : { "name" : "Red Hat SDEngine", "version" : "4.8.1" } }, "id" : "RHSA-2026:17460", "initial_release_date" : "2026-05-14T06:50:52+00:00", "revision_history" : [ { "date" : "2026-05-14T06:50:52+00:00", "number" : "1", "summary" : "Initial version" }, { "date" : "2026-05-14T06:50:58+00:00", "number" : "2", "summary" : "Last updated version" }, { "date" : "2026-05-26T05:20:32+00:00", "number" : "3", "summary" : "Last generated version" } ], "status" : "final", "version" : "3" } }, "product_tree" : { "branches" : [ { "branches" : [ { "branches" : [ { "category" : "product_name", "name" : "Zero Trust Workload Identity Manager 1", "product" : { "name" : "Zero Trust Workload Identity Manager 1", "product_id" : "Zero Trust Workload Identity Manager 1", "product_identification_helper" : { "cpe" : "cpe:/a:redhat:zero_trust_workload_identity_manager:1.0::el9" } } } ], "category" : "product_family", "name" : "Zero Trust Workload Identity Manager" }, { "branches" : [ { "category" : "product_version", "name" : "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:fcd19d7b5c774ada1c7f9abf3367796ef7a113c4d2e2566ffc3cc0f0be222c4d_amd64", "product" : { "name" : "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:fcd19d7b5c774ada1c7f9abf3367796ef7a113c4d2e2566ffc3cc0f0be222c4d_amd64", "product_id" : "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:fcd19d7b5c774ada1c7f9abf3367796ef7a113c4d2e2566ffc3cc0f0be222c4d_amd64", "product_identification_helper" : { "purl" : "pkg:oci/spiffe-spire-controller-manager-rhel9@sha256%3Afcd19d7b5c774ada1c7f9abf3367796ef7a113c4d2e2566ffc3cc0f0be222c4d?arch=amd64&repository_url=registry.redhat.io/zero-trust-workload-identity-manager&tag=1778248669" } } } ], "category" : "architecture", "name" : "amd64" }, { "branches" : [ { "category" : "product_version", "name" : "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:81ca6a7578a4fddb37ad711c0fa7d173b42b7d6bae09351cba024d85e5e5aa84_s390x", "product" : { "name" : "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:81ca6a7578a4fddb37ad711c0fa7d173b42b7d6bae09351cba024d85e5e5aa84_s390x", "product_id" : "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:81ca6a7578a4fddb37ad711c0fa7d173b42b7d6bae09351cba024d85e5e5aa84_s390x", "product_identification_helper" : { "purl" : "pkg:oci/spiffe-spire-controller-manager-rhel9@sha256%3A81ca6a7578a4fddb37ad711c0fa7d173b42b7d6bae09351cba024d85e5e5aa84?arch=s390x&repository_url=registry.redhat.io/zero-trust-workload-identity-manager&tag=1778248669" } } } ], "category" : "architecture", "name" : "s390x" }, { "branches" : [ { "category" : "product_version", "name" : "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:3776b0ba86480e3daa898957ef0e6f0486d0e0baf5de9413ee36ad32b3226650_ppc64le", "product" : { "name" : "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:3776b0ba86480e3daa898957ef0e6f0486d0e0baf5de9413ee36ad32b3226650_ppc64le", "product_id" : "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:3776b0ba86480e3daa898957ef0e6f0486d0e0baf5de9413ee36ad32b3226650_ppc64le", "product_identification_helper" : { "purl" : "pkg:oci/spiffe-spire-controller-manager-rhel9@sha256%3A3776b0ba86480e3daa898957ef0e6f0486d0e0baf5de9413ee36ad32b3226650?arch=ppc64le&repository_url=registry.redhat.io/zero-trust-workload-identity-manager&tag=1778248669" } } } ], "category" : "architecture", "name" : "ppc64le" }, { "branches" : [ { "category" : "product_version", "name" : "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:49d899eaabcb2504c80a2f88913fe1b47ab311d5669bbb90691f59b092d0e142_arm64", "product" : { "name" : "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:49d899eaabcb2504c80a2f88913fe1b47ab311d5669bbb90691f59b092d0e142_arm64", "product_id" : "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:49d899eaabcb2504c80a2f88913fe1b47ab311d5669bbb90691f59b092d0e142_arm64", "product_identification_helper" : { "purl" : "pkg:oci/spiffe-spire-controller-manager-rhel9@sha256%3A49d899eaabcb2504c80a2f88913fe1b47ab311d5669bbb90691f59b092d0e142?arch=arm64&repository_url=registry.redhat.io/zero-trust-workload-identity-manager&tag=1778248669" } } } ], "category" : "architecture", "name" : "arm64" } ], "category" : "vendor", "name" : "Red Hat" } ], "relationships" : [ { "category" : "default_component_of", "full_product_name" : { "name" : "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:3776b0ba86480e3daa898957ef0e6f0486d0e0baf5de9413ee36ad32b3226650_ppc64le as a component of Zero Trust Workload Identity Manager 1", "product_id" : "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:3776b0ba86480e3daa898957ef0e6f0486d0e0baf5de9413ee36ad32b3226650_ppc64le" }, "product_reference" : "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:3776b0ba86480e3daa898957ef0e6f0486d0e0baf5de9413ee36ad32b3226650_ppc64le", "relates_to_product_reference" : "Zero Trust Workload Identity Manager 1" }, { "category" : "default_component_of", "full_product_name" : { "name" : "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:49d899eaabcb2504c80a2f88913fe1b47ab311d5669bbb90691f59b092d0e142_arm64 as a component of Zero Trust Workload Identity Manager 1", "product_id" : "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:49d899eaabcb2504c80a2f88913fe1b47ab311d5669bbb90691f59b092d0e142_arm64" }, "product_reference" : "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:49d899eaabcb2504c80a2f88913fe1b47ab311d5669bbb90691f59b092d0e142_arm64", "relates_to_product_reference" : "Zero Trust Workload Identity Manager 1" }, { "category" : "default_component_of", "full_product_name" : { "name" : "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:81ca6a7578a4fddb37ad711c0fa7d173b42b7d6bae09351cba024d85e5e5aa84_s390x as a component of Zero Trust Workload Identity Manager 1", "product_id" : "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:81ca6a7578a4fddb37ad711c0fa7d173b42b7d6bae09351cba024d85e5e5aa84_s390x" }, "product_reference" : "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:81ca6a7578a4fddb37ad711c0fa7d173b42b7d6bae09351cba024d85e5e5aa84_s390x", "relates_to_product_reference" : "Zero Trust Workload Identity Manager 1" }, { "category" : "default_component_of", "full_product_name" : { "name" : "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:fcd19d7b5c774ada1c7f9abf3367796ef7a113c4d2e2566ffc3cc0f0be222c4d_amd64 as a component of Zero Trust Workload Identity Manager 1", "product_id" : "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:fcd19d7b5c774ada1c7f9abf3367796ef7a113c4d2e2566ffc3cc0f0be222c4d_amd64" }, "product_reference" : "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:fcd19d7b5c774ada1c7f9abf3367796ef7a113c4d2e2566ffc3cc0f0be222c4d_amd64", "relates_to_product_reference" : "Zero Trust Workload Identity Manager 1" } ] }, "vulnerabilities" : [ { "cve" : "CVE-2025-61726", "cwe" : { "id" : "CWE-770", "name" : "Allocation of Resources Without Limits or Throttling" }, "discovery_date" : "2026-01-28T20:01:42.791305+00:00", "ids" : [ { "system_name" : "Red Hat Bugzilla ID", "text" : "2434432" } ], "notes" : [ { "category" : "description", "text" : "A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.", "title" : "Vulnerability description" }, { "category" : "summary", "text" : "golang: net/url: Memory exhaustion in query parameter parsing in net/url", "title" : "Vulnerability summary" }, { "category" : "other", "text" : "To exploit this flaw, an attacker must be able to send a specially crafted HTTP request to an application parsing URL-encoded forms with net/url, specifically a request containing a large number of unique query parameters. The request will cause the application to consume an excessive amount of memory and eventually result in a denial of service, with no impact to confidentiality or integrity. Due to this reason, this vulnerability has been rated with an important severity.", "title" : "Statement" }, { "category" : "general", "text" : "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title" : "CVSS score applicability" } ], "product_status" : { "fixed" : [ "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:3776b0ba86480e3daa898957ef0e6f0486d0e0baf5de9413ee36ad32b3226650_ppc64le", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:49d899eaabcb2504c80a2f88913fe1b47ab311d5669bbb90691f59b092d0e142_arm64", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:81ca6a7578a4fddb37ad711c0fa7d173b42b7d6bae09351cba024d85e5e5aa84_s390x", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:fcd19d7b5c774ada1c7f9abf3367796ef7a113c4d2e2566ffc3cc0f0be222c4d_amd64" ] }, "references" : [ { "category" : "self", "summary" : "Canonical URL", "url" : "https://access.redhat.com/security/cve/CVE-2025-61726" }, { "category" : "external", "summary" : "RHBZ#2434432", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2434432" }, { "category" : "external", "summary" : "https://www.cve.org/CVERecord?id=CVE-2025-61726", "url" : "https://www.cve.org/CVERecord?id=CVE-2025-61726" }, { "category" : "external", "summary" : "https://nvd.nist.gov/vuln/detail/CVE-2025-61726", "url" : "https://nvd.nist.gov/vuln/detail/CVE-2025-61726" }, { "category" : "external", "summary" : "https://go.dev/cl/736712", "url" : "https://go.dev/cl/736712" }, { "category" : "external", "summary" : "https://go.dev/issue/77101", "url" : "https://go.dev/issue/77101" }, { "category" : "external", "summary" : "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc", "url" : "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc" }, { "category" : "external", "summary" : "https://pkg.go.dev/vuln/GO-2026-4341", "url" : "https://pkg.go.dev/vuln/GO-2026-4341" } ], "release_date" : "2026-01-28T19:30:31.215000+00:00", "remediations" : [ { "category" : "vendor_fix", "date" : "2026-05-14T06:50:52+00:00", "details" : "Before installing the operator, make sure all previously released errata relevant to your system have been applied.\n\nThe steps to apply the upgraded images will differ depending on the installation plan approval policy that will be used\nwhile installing thezero trust workload identity manager for Red Hat OpenShift.\n\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a\nnew version of the Operator. No further action is required to upgrade. This is the default setting.\n\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.", "product_ids" : [ "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:3776b0ba86480e3daa898957ef0e6f0486d0e0baf5de9413ee36ad32b3226650_ppc64le", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:49d899eaabcb2504c80a2f88913fe1b47ab311d5669bbb90691f59b092d0e142_arm64", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:81ca6a7578a4fddb37ad711c0fa7d173b42b7d6bae09351cba024d85e5e5aa84_s390x", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:fcd19d7b5c774ada1c7f9abf3367796ef7a113c4d2e2566ffc3cc0f0be222c4d_amd64" ], "restart_required" : { "category" : "none" }, "url" : "https://access.redhat.com/errata/RHSA-2026:17460" }, { "category" : "workaround", "details" : "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids" : [ "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:3776b0ba86480e3daa898957ef0e6f0486d0e0baf5de9413ee36ad32b3226650_ppc64le", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:49d899eaabcb2504c80a2f88913fe1b47ab311d5669bbb90691f59b092d0e142_arm64", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:81ca6a7578a4fddb37ad711c0fa7d173b42b7d6bae09351cba024d85e5e5aa84_s390x", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:fcd19d7b5c774ada1c7f9abf3367796ef7a113c4d2e2566ffc3cc0f0be222c4d_amd64" ] } ], "scores" : [ { "cvss_v3" : { "attackComplexity" : "LOW", "attackVector" : "NETWORK", "availabilityImpact" : "HIGH", "baseScore" : 7.5, "baseSeverity" : "HIGH", "confidentialityImpact" : "NONE", "integrityImpact" : "NONE", "privilegesRequired" : "NONE", "scope" : "UNCHANGED", "userInteraction" : "NONE", "vectorString" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version" : "3.1" }, "products" : [ "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:3776b0ba86480e3daa898957ef0e6f0486d0e0baf5de9413ee36ad32b3226650_ppc64le", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:49d899eaabcb2504c80a2f88913fe1b47ab311d5669bbb90691f59b092d0e142_arm64", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:81ca6a7578a4fddb37ad711c0fa7d173b42b7d6bae09351cba024d85e5e5aa84_s390x", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:fcd19d7b5c774ada1c7f9abf3367796ef7a113c4d2e2566ffc3cc0f0be222c4d_amd64" ] } ], "threats" : [ { "category" : "impact", "details" : "Important" } ], "title" : "golang: net/url: Memory exhaustion in query parameter parsing in net/url" }, { "cve" : "CVE-2026-21441", "cwe" : { "id" : "CWE-409", "name" : "Improper Handling of Highly Compressed Data (Data Amplification)" }, "discovery_date" : "2026-01-07T23:01:59.422078+00:00", "ids" : [ { "system_name" : "Red Hat Bugzilla ID", "text" : "2427726" } ], "notes" : [ { "category" : "description", "text" : "urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.", "title" : "Vulnerability description" }, { "category" : "summary", "text" : "urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)", "title" : "Vulnerability summary" }, { "category" : "general", "text" : "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title" : "CVSS score applicability" } ], "product_status" : { "fixed" : [ "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:3776b0ba86480e3daa898957ef0e6f0486d0e0baf5de9413ee36ad32b3226650_ppc64le", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:49d899eaabcb2504c80a2f88913fe1b47ab311d5669bbb90691f59b092d0e142_arm64", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:81ca6a7578a4fddb37ad711c0fa7d173b42b7d6bae09351cba024d85e5e5aa84_s390x", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:fcd19d7b5c774ada1c7f9abf3367796ef7a113c4d2e2566ffc3cc0f0be222c4d_amd64" ] }, "references" : [ { "category" : "self", "summary" : "Canonical URL", "url" : "https://access.redhat.com/security/cve/CVE-2026-21441" }, { "category" : "external", "summary" : "RHBZ#2427726", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2427726" }, { "category" : "external", "summary" : "https://www.cve.org/CVERecord?id=CVE-2026-21441", "url" : "https://www.cve.org/CVERecord?id=CVE-2026-21441" }, { "category" : "external", "summary" : "https://nvd.nist.gov/vuln/detail/CVE-2026-21441", "url" : "https://nvd.nist.gov/vuln/detail/CVE-2026-21441" }, { "category" : "external", "summary" : "https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b", "url" : "https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b" }, { "category" : "external", "summary" : "https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99", "url" : "https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99" } ], "release_date" : "2026-01-07T22:09:01.936000+00:00", "remediations" : [ { "category" : "vendor_fix", "date" : "2026-05-14T06:50:52+00:00", "details" : "Before installing the operator, make sure all previously released errata relevant to your system have been applied.\n\nThe steps to apply the upgraded images will differ depending on the installation plan approval policy that will be used\nwhile installing thezero trust workload identity manager for Red Hat OpenShift.\n\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a\nnew version of the Operator. No further action is required to upgrade. This is the default setting.\n\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.", "product_ids" : [ "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:3776b0ba86480e3daa898957ef0e6f0486d0e0baf5de9413ee36ad32b3226650_ppc64le", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:49d899eaabcb2504c80a2f88913fe1b47ab311d5669bbb90691f59b092d0e142_arm64", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:81ca6a7578a4fddb37ad711c0fa7d173b42b7d6bae09351cba024d85e5e5aa84_s390x", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:fcd19d7b5c774ada1c7f9abf3367796ef7a113c4d2e2566ffc3cc0f0be222c4d_amd64" ], "restart_required" : { "category" : "none" }, "url" : "https://access.redhat.com/errata/RHSA-2026:17460" } ], "scores" : [ { "cvss_v3" : { "attackComplexity" : "LOW", "attackVector" : "NETWORK", "availabilityImpact" : "HIGH", "baseScore" : 7.5, "baseSeverity" : "HIGH", "confidentialityImpact" : "NONE", "integrityImpact" : "NONE", "privilegesRequired" : "NONE", "scope" : "UNCHANGED", "userInteraction" : "NONE", "vectorString" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version" : "3.1" }, "products" : [ "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:3776b0ba86480e3daa898957ef0e6f0486d0e0baf5de9413ee36ad32b3226650_ppc64le", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:49d899eaabcb2504c80a2f88913fe1b47ab311d5669bbb90691f59b092d0e142_arm64", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:81ca6a7578a4fddb37ad711c0fa7d173b42b7d6bae09351cba024d85e5e5aa84_s390x", "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-controller-manager-rhel9@sha256:fcd19d7b5c774ada1c7f9abf3367796ef7a113c4d2e2566ffc3cc0f0be222c4d_amd64" ] } ], "threats" : [ { "category" : "impact", "details" : "Important" } ], "title" : "urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)" } ] }