2463451 – (CVE-2026-7309) CVE-2026-7309 openshift-controller-manager: OpenShift Container Platform: Information disclosure via environment variable injection

Bug 2463451 (CVE-2026-7309) - CVE-2026-7309 openshift-controller-manager: OpenShift Container Platform: Information disclosure via environment variable injection

Summary: CVE-2026-7309 openshift-controller-manager: OpenShift Container Platform: Inf...

Keywords:
Status:	NEW
Alias:	CVE-2026-7309
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-28 12:14 UTC by OSIDB Bzimport
Modified:	2026-04-28 12:40 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-28 12:14:26 UTC

An incomplete fix for CVE-2024-45496 was identified in the OpenShift Container Platform build system. The buildconfigs/instantiate API still accepts arbitrary environment variable names (including LD_PRELOAD, PATH, BUILDAH_RUNTIME, DOCKER_CONFIG, http_proxy, https_proxy) that propagate to the docker-build container, which remains privileged: true.

A user with the stock edit ClusterRole can inject these env vars into any BuildConfig in the namespace. The env var name validation only applies a format regex with no semantic deny-list for dangerous names.

In stock OpenShift, the edit role already grants Secret read access, making proxy interception largely redundant. The practical impact is limited to unsupported minimal role configurations.

Affected: openshift/api build/v1/consts.go
Tested on: OCP 4.21.0
CVE-2024-45496 fix applied but env injection into docker-build remains.

Note You need to log in before you can comment on or make changes to this bug.