The /api/helm/verify endpoint is tasked to fetch and verify the installation of a Helm chart from a URI (remote http/https or local). Access to this endpoint is gated by the authHandlerWithUser() middleware function, contrary to its name, this middleware function does not check if the user's credentials are valid. This endpoint can therefore be accessed by unauthenticated users. The impact of this vulnerability is as follows: An unauthenticated user can cause the console to query arbitrary HTTP/HTTPS URLs. An unauthenticated user can, by crafting a specific Helm Chart, leak all kubernetes resources accessible by the openshift-console:console service account. A user with an account – regardless of its privileges – can cause the OpenShift Console to not load for all users. In such an attack, anyone trying to access the Console's web interface will only see a white page after authentication.