Bug 2484738 (CVE-2026-10843)

Summary: CVE-2026-10843 cloud-credential-operator: CCO Mint-mode CredentialsRequest manifests grant account-wide IAM access beyond cluster scope on AWS
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions rather than being restricted to cluster-owned resources, enabling cross-scope impact after credential compromise.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-04 11:55:46 UTC 
A flaw was found in the Cloud Credential Operator (CCO) Mint-mode CredentialsRequest manifests shipped with OpenShift Container Platform for AWS. The CredentialsRequest specifications for the Image Registry, Machine API, Ingress Operator, and EBS CSI Driver request IAM policies with Resource: "*" for destructive actions (S3 CreateBucket/DeleteBucket/PutObject/DeleteObject, EC2 TerminateInstances/RunInstances, Route53 ChangeResourceRecordSets, EC2 DeleteVolume/DeleteSnapshot). This grants the provisioned operator IAM credentials access to any AWS resource in the account, not just resources owned by the cluster. An attacker who obtains these credentials (via pod compromise, RBAC escalation, or Secret read) can perform destructive operations against unrelated AWS resources in the same account, including deleting S3 buckets, terminating EC2 instances, modifying DNS records in unrelated hosted zones, and deleting EBS volumes belonging to other workloads or clusters.