CVE-2026-7163 [Medium] | Security Vulnerability in Multicluster Engine For K…

A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. The credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace. The affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected. This issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode. Successful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-05-01	—	0.01%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-05-01

—

0.01%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
6.1	3.1	MEDIUM	`CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N` Click to expand Attack vector (AV:A) Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:N) Service keeps running; no real outage angle.	1.7	4.0	[email protected]
5.5	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:N) Service keeps running; no real outage angle.	1.8	3.6	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

6.1

3.1

MEDIUM

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N Click to expand

Attack vector (AV:A): Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:R): A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:N): Service keeps running; no real outage angle.

1.7

4.0

[email protected]

5.5

3.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:N): Service keeps running; no real outage angle.

1.8

3.6

[email protected]

OS Trackers for CVE-2026-7163

vendor	priority	summary	link
`redhat`	high	—	https://access.redhat.com/security/cve/CVE-2026-7163

vendor

priority

summary

link

redhat

high

—

https://access.redhat.com/security/cve/CVE-2026-7163

Affected software / configurations for CVE-2026-7163

Vendor	Product	Version	Raw CPE
redhat	multicluster_engine_for_kubernetes	2.1	cpe:2.3:a:redhat:multicluster_engine_for_kubernetes:2.1:::::::*
redhat	multicluster_engine_for_kubernetes	2.7	cpe:2.3:a:redhat:multicluster_engine_for_kubernetes:2.7:::::::*

References for CVE-2026-7163

URL	Tags
https://access.redhat.com/errata/RHSA-2026:11511	Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:11512	Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:12116	Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:12337	Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:18584
https://access.redhat.com/errata/RHSA-2026:18585
https://access.redhat.com/security/cve/CVE-2026-7163	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2463152	Issue Tracking

URL

CVE-2026-7163 | Assisted-service: assisted-service: authenticated users can gain administrative access to openshift clusters via credential disclosure

Exploit prediction scoring system (EPSS) score for CVE-2026-7163

Common vulnerability scoring system (CVSS) metrics for CVE-2026-7163

Weakness enumeration for CVE-2026-7163

GitHub Security Advisory for CVE-2026-7163

OS Trackers for CVE-2026-7163

Affected software / configurations for CVE-2026-7163

References for CVE-2026-7163