<Vulnerability name="CVE-2026-15063">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-07-08T00:00:00</PublicDate>
    <Bugzilla id="2498058" url="https://bugzilla.redhat.com/show_bug.cgi?id=2498058" xml:lang="en:us">
trustyai-service-operator: TrustyAI Service Operator: Gorch port bypass when auth IS enabled
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>6.3</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-306</CWE>
    <Details xml:lang="en:us" source="Mitre">
A flaw was found in the gorch service template, which is part of the trustyai-service-operator. Even when authentication is enabled, the gorch service exposes unproxied orchestrator and detector metrics ports. This allows any pod on the cluster network to directly access these ports, bypassing the kube-rbac-proxy and its authentication mechanisms. This could lead to unauthorized access to the orchestrator and detector metrics.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in the gorch service template, which is part of the trustyai-service-operator. Even when authentication is enabled, the gorch service exposes unproxied orchestrator and detector metrics ports. This allows any pod on the cluster network to directly access these ports, bypassing the kube-rbac-proxy and its authentication mechanisms. This could lead to unauthorized access to the orchestrator and detector metrics.
    </Details>
    <Statement xml:lang="en:us">
Moderate: The gorch service, a component of the trustyai-service-operator, exposes unproxied orchestrator and detector metrics ports (8032 and 8080) on the cluster network. This allows any pod within the cluster to bypass the kube-rbac-proxy and access these services without authentication, even when authentication is configured.
    </Statement>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-trustyai-service-operator-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-15063
https://nvd.nist.gov/vuln/detail/CVE-2026-15063
    </References>
</Vulnerability>