A flaw was found in the OpenShift Cluster Logging Operator. The operator creates kubernetes.io/service-account-token Secrets and forwards them as bearer authentication to output URLs without verifying that the ClusterLogForwarder creator has authorization to use the referenced ServiceAccount's credentials. A user with write access to ClusterLogForwarder resources but without secrets access can exfiltrate ServiceAccount tokens for any in-namespace ServiceAccount. When a CLF specifies only receiver-type inputs, the SubjectAccessReview validation is bypassed entirely, widening the attack to SAs without log-collection RBAC. However, even with standard inputs, any SA that passes the input-side SAR check (including the operator's own SA) has its token created and forwarded without output-side authorization. The stolen token inherits all RBAC bindings of the target ServiceAccount, potentially enabling cluster-wide privilege escalation.