Bug 2487953 (CVE-2026-54100)

Summary: CVE-2026-54100 windows-machine-config-operator: windows-machine-config-operator: SSH host key not verified enables credential theft
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. WMCO establishes SSH connections to Windows worker nodes without verifying the remote server host key. An adjacent-network attacker who can intercept or redirect WMCO's SSH session can capture WICD and kubelet bootstrap credentials transferred during node configuration, enabling compromise of Windows node identities in the cluster.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-11 17:29:36 UTC
Windows Machine Config Operator (WMCO) opens SSH sessions to Windows worker nodes without validating the remote server identity. Sensitive node configuration material is transferred over those sessions during normal reconciliation. If an attacker can position themselves on the network path between WMCO and the intended Windows node, they may be able to impersonate the node and obtain credentials WMCO delivers during configuration.