Red Hat Multicluster Engine Administrative Credentials Disclosure Vulnerability in Assisted Service REST API

A vulnerability exists in the assisted-service REST API, part of Red Hat Multicluster Engine (MCE), allowing authenticated users with limited namespace-scoped privileges to access administrative credentials for any clusters provisioned through the hub. This issue arises because the credentials download endpoint and the kubeconfig download endpoint are active in AUTH_TYPE=local mode, the sole authentication mode for on-premises ACM/MCE hub deployments. In this mode, a valid JSON Web Token (JWT) grants unrestricted administrative access, with no endpoint-specific limitations. The vulnerability is exploitable by users who can read InfraEnv objects in their namespace, as they can access a valid JWT embedded in a query parameter of a downloadable ISO URL. Exploitation of this vulnerability provides the kubeadmin password and kubeconfig for any OpenShift cluster managed by the affected hub, allowing full administrative access to those clusters.

Impact

Exploitation of this vulnerability allows an authenticated user to gain administrative access to any OpenShift clusters provisioned through the affected MCE hub, by disclosing the kubeadmin password and kubeconfig for those clusters.