CVE-2026-54099

Name of the Vulnerable Software and Affected Versions Red Hat OpenShift Container Platform 4 (affected versions not specified)

Description A flaw exists in the Windows Machine Config Operator (WMCO) where the WICD CSR auto-approver validates that a Certificate Signing Request contains the organization system:wicd-nodes but fails to reject additional organization values, such as system:masters. This allows a compromised Windows worker node possessing WICD credentials to submit a CSR that is auto-approved and signed by the cluster. This process results in a client certificate that grants cluster-administrator privileges, potentially leading to a full cluster takeover.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.