CVE-2025-11393
HIGHRuntimes-Inventory-Rhel8-Operator - Privilege Escalation
Title source: llmDescription
A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster's main administrative credentials to any command it receives, instead of only the specific reports it is supposed to handle. This allows a standard user within the cluster to send unauthorized commands to the management platform, effectively acting with the full permissions of the cluster administrator. This could lead to unauthorized changes to the cluster's configuration or status on the Red Hat platform.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:23236
Vendor Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2025-11393
Issue Tracking issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2402032
Scores
CVSS v3
8.7
EPSS
0.0022
EPSS Percentile
11.8%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-441
Status
published
Products (5)
Red Hat/Red Hat Lightspeed (formerly Insights) for Runtimes 1
sha256:08f473dec97e110a73e1c9886ee31512bb6937f87bdb95fbe77cb2d85695b936
Red Hat/Red Hat Lightspeed (formerly Insights) for Runtimes 1.0
1.0.0-1765483112
Red Hat/Red Hat Lightspeed (formerly Insights) for Runtimes 1.0
sha256:08f473dec97e110a73e1c9886ee31512bb6937f87bdb95fbe77cb2d85695b936
Red Hat/Red Hat Runtimes Inventory Operator
RedHatInsights/runtimes-inventory-operator
0Go
Published
Dec 15, 2025
Tracked Since
Feb 18, 2026