Red Hat has updated its OpenShift AI Service after discovering a vulnerability with a CVSS rating of 9.9 that would allow an attacker to take full control of a cluster and any applications running on it.
Red Hat OpenShift AI (RHOAI) — called Red Hat OpenShift Data Science until 2023 — is the company’s Kubernetes-based platform for managing and deploying large language models (LLMs).
It’s too new to have suffered many CVE-level flaws, although the latest vulnerability, CVE-2025-10725, counts as the worst yet with a CVSS rating of 9.9, which the US National Vulnerability Database considers “Critical.” But Red Hat minimized the issue, saying that according to its own rating scale, the vulnerability only rates as “Important” because it requires authentication, albeit minimal, to exploit.
According to Red Hat’s advisory, an attacker exploiting it would be able to: “Steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it.”
Normally, vulnerabilities are a coding issue, for example a buffer overflow. Unusually, the latest vulnerability is a design flaw in the way Red Hat implemented authorization on the platform’s Role-Based Access Control (RBAC).
Red Hat describes the root of the problem as being an “overly permissive ClusterRole,” jargon for the part of the Kubernetes RBAC system that sets out permissions for users, groups, or service accounts.
As a result: “A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook [a development environment], can escalate their privileges to a full cluster administrator.”
In other words, a low-privileged user can elevate their privileges to admin level. Delving into the Red Hat Bugzilla analysis for the vulnerability reveals the full implications of this: a breakdown of tenant isolation which would affect all customers with applications running on the same cluster.
That would, of course, still require an attacker to have passed authentication at a basic level, but as numerous attacks have shown, getting hold of credentials is child’s play for modern cybercriminals.
Fixing it
Red Hat advises admins to remove the ClusterRoleBinding component that associates the kueue-batch-user-role with the system:authenticated group while avoiding “granting broad permissions to system-level groups.”
In addition: “The permission to create jobs should be granted on a more granular, as-needed basis to specific users or groups, adhering to the principle of least privilege,” said Red Hat. RHOAI images implementing a fix are versions 2.19 and 2.21.
The source of the vulnerability disclosure is unknown but was added to Red Hat’s Open Security Issue Database (OSIDB) on September 19. Red Hat’s advisory doesn’t mention public exploitation, but sysadmins will doubtless want to check their environments out of an abundance of caution.
Red Hat did not immediately respond to a request for further comment on these issues.
AI and agentic AI have become a big focus for Red Hat in recent years across its core “AI native” RHEL 10 Linux and OpenShift Container Platform. The driver for this is demand for platforms that can run LLMs on cloud infrastructure, in Red Hat’s case AWS, Azure, Google, and on-premises or private clouds.
No Responses