A 9.9 out of 10 severity bug in Red Hat’s OpenShift AI service could allow a remote attacker with minimal authentication to steal data, disrupt services, and fully hijack the platform.

“A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator,” the IBM subsidiary warned in a security alert published earlier this week.

“This allows for the complete compromise of the cluster’s confidentiality, integrity, and availability,” the alert continues. “The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it.”

Red Hat deemed the vulnerability, tracked as CVE-2025-10725, “important” despite its 9.9 CVSS score, which garners a critical-severity rating from the National Vulnerability Database – and basically any other organization that issues CVEs. This, the vendor explained, is because the flaw requires some level of authentication, albeit minimal, for an attacker to jeopardize the hybrid cloud environment.

Users can mitigate the flaw by removing the ClusterRoleBinding that links the kueue-batch-user-role ClusterRole with the system:authenticated group. “The permission to create jobs should be granted on a more granular, as-needed basis to specific users or groups, adhering to the principle of least privilege,” Red Hat added. 

Additionally, the vendor suggests not granting broad permissions to system-level groups.

Red Hat didn’t immediately respond to The Register’s inquiries, including if the CVE has been exploited. We will update this story as soon as we receive any additional information.

Whose role is it anyway?

OpenShift AI is an open platform for building and managing AI applications across hybrid cloud environments. 

As noted earlier, it includes a ClusterRole named “kueue-batch-user-role.” The security issue here exists because this role is incorrectly bound to the system:authenticated group.

“This grants any authenticated entity, including low-privileged service accounts for user workbenches, the permission to create OpenShift Jobs in any namespace,” according to a Bugzilla flaw-tracking report.

One of these low-privileged accounts could abuse this to schedule a malicious job in a privileged namespace, configure it to run with a high-privilege ServiceAccount, exfiltrate that ServiceAccount token, and then “progressively pivot and compromise more powerful accounts, ultimately achieving root access on cluster master nodes and leading to a full cluster takeover,” the report said.

“Vulnerabilities offering a path for a low privileged user to fully take over an environment needs to be patched in the form of an incident response cycle, seeking to prove that the environment was not already compromised,” Trey Ford, chief strategy and trust officer at crowdsourced security company Bugcrow said in an email to The Register. 

In other words: “Assume breach,” Ford added. 

“The administrators managing OpenShift AI infrastructure need to patch this with a sense of urgency – this is a delightful vulnerability pattern for attackers looking to acquire both access and data,” he said. “Security teams must move with a sense of purpose, both verifying that these environments have been patched, then investigating to confirm whether-and-if their clusters have been compromised.” ®