CVE-2025-11393

HIGH

Runtimes-Inventory-Rhel8-Operator - Privilege Escalation

Title source: llm

Description

A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster's main administrative credentials to any command it receives, instead of only the specific reports it is supposed to handle. This allows a standard user within the cluster to send unauthorized commands to the management platform, effectively acting with the full permissions of the cluster administrator. This could lead to unauthorized changes to the cluster's configuration or status on the Red Hat platform.

References (3)

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:23236

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2025-11393

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2402032

Scores

CVSS v3 8.7

EPSS 0.0001

EPSS Percentile 0.8%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-441

Status published

Products (4)

Red Hat/Red Hat Lightspeed (formerly Insights) for Runtimes 1 sha256:08f473dec97e110a73e1c9886ee31512bb6937f87bdb95fbe77cb2d85695b936

Red Hat/Red Hat Lightspeed (formerly Insights) for Runtimes 1.0 sha256:08f473dec97e110a73e1c9886ee31512bb6937f87bdb95fbe77cb2d85695b936

Red Hat/Red Hat Runtimes Inventory Operator

RedHatInsights/runtimes-inventory-operator 0Go

Published Dec 15, 2025

Tracked Since Feb 18, 2026