CVE-2026-15044

MEDIUM

Trustyai-service-operator: trustyai service operator: unauthenticated access to ai guardrails and orchestrator apis

Title source: cna
STIX 2.1

Description

A flaw was found in the TrustyAI Service Operator. When deploying services like gorch or NemoGuardrails, if a specific security setting is not enabled, these services can expose their communication channels without requiring users to prove their identity. This allows any other program within the cluster to access the AI guardrails and orchestrator without proper authorization. An attacker could exploit this to gain unauthorized access to sensitive information and potentially make limited changes to the AI models.

References (2)

Core 2
Core References
Vdb Entry, X_Refsource_Redhat vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-15044
Issue Tracking, X_Refsource_Redhat issue-tracking x_refsource_redhat
RHBZ#2498039
https://bugzilla.redhat.com/show_bug.cgi?id=2498039

Scores

CVSS v3 6.3
EPSS 0.0017
EPSS Percentile 6.6%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

Status published
Products (1)
Red Hat/Red Hat OpenShift AI (RHOAI)
Published Jul 08, 2026
Tracked Since Jul 08, 2026