Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-29T12:00:00 assisted-service: assisted-service: InfraEnv status leaks referenced pull-secret contents to namespace view users 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N CWE-201

ACM/MCE assisted-service writes raw referenced pull-secret contents into `InfraEnv.status.conditions[].message` when pull-secret validation fails. A namespace principal with the stock `view` ClusterRole cannot directly read Secrets, but can read `InfraEnv` objects and recover the referenced Secret's `.dockerconfigjson` data from status. This bypasses the Kubernetes/OpenShift RBAC separation between read-only namespace viewers and Secret readers. In the reproduced proof, the same ServiceAccount was denied `get` and `list` on Secrets, but recovered synthetic pull-secret `username`, `password`, `email`, and base64 `auth` fields through `InfraEnv.status`.

Red Hat rates this flaw as Moderate impact. Exploitation requires a namespace "view" user to be in a namespace where an InfraEnv references a pull secret that fails assisted-service validation -- a condition the "view" user cannot trigger themselves. Red Hat scores UI:R (User Interaction Required) because the leak only exists when an administrator creates or updates an InfraEnv referencing a pull secret that fails validation; without that admin action, there is nothing to exploit. The direct impact is confidentiality: the full pull-secret content is disclosed through InfraEnv status, bypassing the Kubernetes RBAC boundary that prevents "view" users from reading Secrets. Red Hat scores I:L (Integrity: Low) rather than I:H because, with Scope: Unchanged, integrity impact should reflect the vulnerable component (MCE/ACM), not external registries. The leaked credential's write capability is conditional on the specific credential's permissions and does not represent integrity compromise of the ACM/MCE cluster itself. Multicluster Engine for Kubernetes Under investigation multicluster-engine/assisted-service-9-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-10101 https://nvd.nist.gov/vuln/detail/CVE-2026-10101