CVE-2026-7163

Name of the Vulnerable Software and Affected Versions Multicluster Engine (affected versions not specified) Red Hat Advanced Cluster Management (affected versions not specified)

Description A flaw in the assisted-service REST API, an optional Assisted Installer component in the Multicluster Engine, enables an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for any cluster provisioned through the hub. In on-premises deployments using local authentication mode, the authenticator grants full administrative access to any request with a valid JSON Web Token (JWT) without per-endpoint restrictions. A valid local JWT is stored as a plaintext query parameter in InfraEnvStatus.ISODownloadURL, which is accessible to any user with read permissions for an InfraEnv object in their namespace. This allows attackers to access the credentials download endpoint "GET /v2/clusters/{cluster id}/credentials" to retrieve the kubeadmin password and the kubeconfig download endpoint, resulting in unrestricted root-level administrative access to spoke clusters.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.