OpenShift Pipelines Operator Grants Excessive ClusterRole Permissions

A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRole. When Kueue or cert-manager CRDs are present on the cluster, any authenticated user can disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or induce cert-manager to overwrite TLS Secrets including the default ingress controller certificate.

Casky was already ahead

This CVE exploits attack patterns that Casky's 203matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

CVE-2026-10840 exposes a critical privilege escalation vulnerability in OpenShift Pipelines where the tekton-scheduler-rolebinding ClusterRoleBinding inadvertently grants all authenticated users write access to Kueay and cert-manager custom resources. This flaw allows any authenticated cluster user—regardless of intended role or permissions—to disrupt workload scheduling, manipulate scheduling priorities, delete other tenants' Workload objects, and compromise TLS secrets managed by cert-manager. Organizations running OpenShift with these operators present face immediate threats to cluster stability, multi-tenancy isolation, and certificate infrastructure integrity. The vulnerability is particularly dangerous because exploitation requires only cluster authentication, a privilege commonly held across development teams.

Casky's 203 matched security skills detect the attack patterns underlying this vulnerability by analyzing MITRE ATT&CK technique TA0004 (Privilege Escalation) through Claude AI's extended reasoning capabilities. Practitioners using Casky would identify suspicious patterns including: unauthorized ClusterRoleBinding modifications, authenticated users accessing cert-manager secrets outside their namespace scope, unexpected deletions of Workload objects across tenant boundaries, and anomalous API calls to scheduling components by non-admin service accounts. The platform's skill mapping reveals how attackers transition from initial authentication access to resource manipulation, enabling detection of the overly permissive RBAC configuration before exploitation occurs. Security teams gain visibility into role permission drift and can correlate findings with CRD presence detection to quantify actual exposure across their environment.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

203 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-10840.

analyzing-cloud-storage-access-patterns

cloud security · low

Run

analyzing-kubernetes-audit-logs

container security · low

Run

analyzing-office365-audit-logs-for-compromise

cloud security · low

Run

MITRE ATT&CK Techniques

TA0004

Investigate the attack patterns behind CVE-2026-10840

Casky has 203 skills that investigate the attack patterns behind CVE-2026-10840. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn