A flaw was found in the OpenShift Router. When a Route has `insecureEdgeTerminationPolicy` set to Allow, the HTTP frontend does not remove `X-SSL-Client-*` headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted `X-SSL-Client-*` headers. As a result, backends relying on these headers for mutual TLS (Transport Layer Security) authentication can be bypassed, enabling the attacker to impersonate client certificate identities.
Casky was already ahead
This CVE exploits attack patterns that Casky's 261matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-46579 exposes a critical authentication bypass in OpenShift Router configurations where `insecureEdgeTerminationPolicy` is set to Allow. The vulnerability stems from the HTTP frontend failing to sanitize incoming `X-SSL-Client-*` headers, which are typically set only by legitimate TLS termination points during mutual TLS (mTLS) handshakes. An unauthenticated attacker can craft plain HTTP requests with forged certificate headers, allowing them to impersonate authenticated clients and bypass mTLS authentication controls entirely. This affects any organization running OpenShift with Routes configured for insecure edge termination and relying on X-SSL-Client headers for backend authentication, potentially exposing sensitive services and data to unauthorized access.
Casky's 261 matched security skills leverage Claude's extended reasoning to detect attack patterns associated with TA0004 (Privilege Escalation) and TA0006 (Credential Access). Practitioners using Casky will see findings correlated with header injection detection, abnormal header patterns in HTTP traffic, and authentication mechanism bypass attempts. The platform's skills map to CWE-287 (Improper Authentication) and flag suspicious `X-SSL-Client-*` header usage in unauthenticated requests, anomalous certificate claims without corresponding TLS handshakes, and unauthorized privilege escalation following header manipulation. By analyzing traffic patterns and authentication context, Casky helps teams identify when attackers are attempting to spoof client identities through header injection, enabling rapid response before sensitive backend systems are compromised.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-46579.
Casky has 261 skills that investigate the attack patterns behind CVE-2026-46579. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →analyzing-office365-audit-logs-for-compromise
cloud security · low
auditing-aws-s3-bucket-permissions
cloud security · low
auditing-azure-active-directory-configuration
cloud security · low
auditing-cloud-with-cis-benchmarks
cloud security · low
auditing-gcp-iam-permissions
cloud security · low
auditing-kubernetes-cluster-rbac
cloud security · low
auditing-terraform-infrastructure-for-security
cloud security · low
building-c2-infrastructure-with-sliver-framework
red teaming · high
building-cloud-siem-with-sentinel
cloud security · low
building-identity-federation-with-saml-azure-ad
identity access management · low
building-identity-governance-lifecycle-process
identity access management · low
building-phishing-reporting-button-workflow
phishing defense · medium
building-red-team-c2-infrastructure-with-havoc
red teaming · high
building-role-mining-for-rbac-optimization
identity access management · low
conducting-api-security-testing
penetration testing · medium
conducting-cloud-penetration-testing
cloud security · low
conducting-domain-persistence-with-dcsync
red teaming · high
conducting-external-reconnaissance-with-osint
penetration testing · medium
conducting-full-scope-red-team-engagement
red teaming · high
conducting-internal-network-penetration-test
penetration testing · medium
conducting-internal-reconnaissance-with-bloodhound-ce
red teaming · high
conducting-mobile-app-penetration-test
penetration testing · medium
conducting-network-penetration-test
penetration testing · medium
conducting-pass-the-ticket-attack
red teaming · high
conducting-social-engineering-penetration-test
penetration testing · medium
conducting-social-engineering-pretext-call
red teaming · high
conducting-spearphishing-simulation-campaign
red teaming · high
conducting-wireless-network-penetration-test
penetration testing · medium
configuring-active-directory-tiered-model
identity access management · low
configuring-aws-verified-access-for-ztna
zero trust architecture · low
configuring-certificate-authority-with-openssl
cryptography · low
configuring-host-based-intrusion-detection
endpoint security · low
configuring-hsm-for-key-storage
cryptography · low
configuring-identity-aware-proxy-with-google-iap
zero trust architecture · low
configuring-ldap-security-hardening
identity access management · low
configuring-microsegmentation-for-zero-trust
zero trust architecture · low
configuring-multi-factor-authentication-with-duo
identity access management · low
configuring-oauth2-authorization-flow
identity access management · low
configuring-tls-1-3-for-secure-communications
cryptography · low
configuring-windows-defender-advanced-settings
endpoint security · low
configuring-windows-event-logging-for-detection
endpoint security · low
configuring-zscaler-private-access-for-ztna
zero trust architecture · low
deploying-cloudflare-access-for-zero-trust
zero trust architecture · low
deploying-edr-agent-with-crowdstrike
endpoint security · low
deploying-osquery-for-endpoint-monitoring
endpoint security · low
deploying-palo-alto-prisma-access-zero-trust
zero trust architecture · low
deploying-software-defined-perimeter
zero trust architecture · low
deploying-tailscale-for-zero-trust-vpn
zero trust architecture · low
detecting-anomalous-authentication-patterns
identity access management · low
detecting-api-enumeration-attacks
api security · medium
detecting-aws-cloudtrail-anomalies
cloud security · low
detecting-aws-credential-exposure-with-trufflehog
cloud security · low
detecting-aws-guardduty-findings-automation
cloud security · low
detecting-aws-iam-privilege-escalation
cloud security · low
detecting-azure-lateral-movement
cloud security · low
detecting-azure-service-principal-abuse
cloud security · low
detecting-azure-storage-account-misconfigurations
cloud security · low
detecting-broken-object-property-level-authorization
api security · medium
detecting-business-email-compromise
phishing defense · medium
detecting-business-email-compromise-with-ai
phishing defense · medium
detecting-cloud-threats-with-guardduty
cloud security · low
detecting-compromised-cloud-credentials
cloud security · low
detecting-container-drift-at-runtime
container security · low
detecting-container-escape-attempts
container security · low
detecting-container-escape-with-falco-rules
container security · low
detecting-cryptomining-in-cloud
cloud security · low
detecting-evasion-techniques-in-endpoint-logs
endpoint security · low
detecting-fileless-attacks-on-endpoints
endpoint security · low
detecting-misconfigured-azure-storage
cloud security · low
detecting-oauth-token-theft
cloud security · low
detecting-privilege-escalation-in-kubernetes-pods
container security · low
detecting-qr-code-phishing-with-email-security
phishing defense · medium
detecting-s3-data-exfiltration-attempts
cloud security · low
detecting-serverless-function-injection
cloud security · low
detecting-shadow-api-endpoints
api security · medium
detecting-shadow-it-cloud-usage
cloud security · low
detecting-spearphishing-with-email-gateway
phishing defense · medium
detecting-suspicious-oauth-application-consent
cloud security · low
executing-active-directory-attack-simulation
penetration testing · medium
executing-phishing-simulation-campaign
penetration testing · medium
executing-red-team-engagement-planning
red teaming · high
executing-red-team-exercise
penetration testing · medium
exploiting-active-directory-certificate-services-esc1
red teaming · high
exploiting-active-directory-with-bloodhound
red teaming · high
exploiting-api-injection-vulnerabilities
api security · medium
exploiting-broken-function-level-authorization
api security · medium
exploiting-constrained-delegation-abuse
red teaming · high
exploiting-excessive-data-exposure-in-api
api security · medium
exploiting-jwt-algorithm-confusion-attack
api security · medium
exploiting-kerberoasting-with-impacket
red teaming · high
exploiting-ms17-010-eternalblue-vulnerability
red teaming · high
exploiting-nopac-cve-2021-42278-42287
red teaming · high
exploiting-sql-injection-vulnerabilities
penetration testing · medium
exploiting-zerologon-vulnerability-cve-2020-1472
red teaming · high
hardening-docker-containers-for-production
container security · low
hardening-docker-daemon-configuration
container security · low
hardening-linux-endpoint-with-cis-benchmark
endpoint security · low
hardening-windows-endpoint-with-cis-benchmark
endpoint security · low
implementing-aes-encryption-for-data-at-rest
cryptography · low
implementing-anti-phishing-training-program
phishing defense · medium
implementing-api-abuse-detection-with-rate-limiting
api security · medium
implementing-api-gateway-security-controls
api security · medium
implementing-api-key-security-controls
api security · medium
implementing-api-rate-limiting-and-throttling
api security · medium
implementing-api-schema-validation-security
api security · medium
implementing-api-security-posture-management
api security · medium
implementing-api-security-testing-with-42crunch
api security · medium
implementing-api-threat-protection-with-apigee
api security · medium
implementing-application-whitelisting-with-applocker
endpoint security · low
implementing-aws-config-rules-for-compliance
cloud security · low
implementing-aws-iam-permission-boundaries
identity access management · low
implementing-aws-macie-for-data-classification
cloud security · low
implementing-aws-nitro-enclave-security
cloud security · low
implementing-aws-security-hub
cloud security · low
implementing-aws-security-hub-compliance
cloud security · low
implementing-azure-ad-privileged-identity-management
identity access management · low
implementing-azure-defender-for-cloud
cloud security · low
implementing-beyondcorp-zero-trust-access-model
zero trust architecture · low
implementing-cisa-zero-trust-maturity-model
zero trust architecture · low
implementing-cloud-dlp-for-data-protection
cloud security · low
implementing-cloud-security-posture-management
cloud security · low
implementing-cloud-trail-log-analysis
cloud security · low
implementing-cloud-waf-rules
cloud security · low
implementing-cloud-workload-protection
cloud security · low
implementing-conditional-access-policies-azure-ad
identity access management · low
implementing-container-image-minimal-base-with-distroless
container security · low
implementing-container-network-policies-with-calico
container security · low
implementing-delinea-secret-server-for-pam
identity access management · low
implementing-device-posture-assessment-in-zero-trust
zero trust architecture · low
implementing-digital-signatures-with-ed25519
cryptography · low
implementing-disk-encryption-with-bitlocker
endpoint security · low
implementing-dmarc-dkim-spf-email-security
phishing defense · medium
implementing-email-sandboxing-with-proofpoint
phishing defense · medium
implementing-end-to-end-encryption-for-messaging
cryptography · low
implementing-endpoint-dlp-controls
endpoint security · low
implementing-envelope-encryption-with-aws-kms
cryptography · low
implementing-file-integrity-monitoring-with-aide
endpoint security · low
implementing-gcp-binary-authorization
cloud security · low
implementing-gcp-organization-policy-constraints
cloud security · low
implementing-gcp-vpc-firewall-rules
cloud security · low
implementing-google-workspace-admin-security
identity access management · low
implementing-google-workspace-phishing-protection
phishing defense · medium
implementing-google-workspace-sso-configuration
identity access management · low
implementing-hashicorp-vault-dynamic-secrets
identity access management · low
implementing-identity-governance-with-sailpoint
identity access management · low
implementing-identity-verification-for-zero-trust
zero trust architecture · low
implementing-image-provenance-verification-with-cosign
container security · low
implementing-just-in-time-access-provisioning
identity access management · low
implementing-jwt-signing-and-verification
cryptography · low
implementing-kubernetes-network-policy-with-calico
container security · low
implementing-kubernetes-pod-security-standards
container security · low
implementing-memory-protection-with-dep-aslr
endpoint security · low
implementing-microsegmentation-with-guardicore
zero trust architecture · low
implementing-mimecast-targeted-attack-protection
phishing defense · medium
implementing-network-policies-for-kubernetes
container security · low
implementing-opa-gatekeeper-for-policy-enforcement
container security · low
implementing-pam-for-database-access
identity access management · low
implementing-passwordless-auth-with-microsoft-entra
identity access management · low
implementing-passwordless-authentication-with-fido2
identity access management · low
implementing-pod-security-admission-controller
container security · low
implementing-privileged-access-management-with-cyberark
identity access management · low
implementing-privileged-session-monitoring
identity access management · low
implementing-proofpoint-email-security-gateway
phishing defense · medium
implementing-rbac-hardening-for-kubernetes
container security · low
implementing-rsa-key-pair-management
cryptography · low
implementing-runtime-security-with-tetragon
container security · low
implementing-saml-sso-with-okta
identity access management · low
implementing-scim-provisioning-with-okta
identity access management · low
implementing-secrets-management-with-vault
cloud security · low
implementing-supply-chain-security-with-in-toto
container security · low
implementing-usb-device-control-policy
endpoint security · low
implementing-zero-knowledge-proof-for-authentication
cryptography · low
implementing-zero-standing-privilege-with-cyberark
identity access management · low
implementing-zero-trust-dns-with-nextdns
zero trust architecture · low
implementing-zero-trust-for-saas-applications
zero trust architecture · low
implementing-zero-trust-in-cloud
cloud security · low
implementing-zero-trust-network-access
cloud security · low
implementing-zero-trust-network-access-with-zscaler
zero trust architecture · low
implementing-zero-trust-with-hashicorp-boundary
zero trust architecture · low
managing-cloud-identity-with-okta
cloud security · low
performing-access-recertification-with-saviynt
identity access management · low
performing-access-review-and-certification
identity access management · low
performing-active-directory-bloodhound-analysis
red teaming · high
performing-active-directory-penetration-test
penetration testing · medium
performing-adversary-in-the-middle-phishing-detection
phishing defense · medium
performing-api-fuzzing-with-restler
api security · medium
performing-api-inventory-and-discovery
api security · medium
performing-api-rate-limiting-bypass
api security · medium
performing-api-security-testing-with-postman
api security · medium
performing-aws-account-enumeration-with-scout-suite
cloud security · low
performing-aws-privilege-escalation-assessment
cloud security · low
performing-cloud-asset-inventory-with-cartography
cloud security · low
performing-cloud-forensics-with-aws-cloudtrail
cloud security · low
performing-cloud-log-forensics-with-athena
cloud security · low
performing-cloud-native-forensics-with-falco
cloud security · low
performing-cloud-native-threat-hunting-with-aws-detective
cloud security · low
performing-cloud-penetration-testing-with-pacu
cloud security · low
performing-container-escape-detection
container security · low
performing-container-security-scanning-with-trivy
container security · low
performing-credential-access-with-lazagne
red teaming · high
performing-cryptographic-audit-of-application
cryptography · low
performing-dmarc-policy-enforcement-rollout
phishing defense · medium
performing-docker-bench-security-assessment
container security · low
performing-endpoint-forensics-investigation
endpoint security · low
performing-endpoint-vulnerability-remediation
endpoint security · low
performing-entitlement-review-with-sailpoint-iiq
identity access management · low
performing-external-network-penetration-test
penetration testing · medium
performing-gcp-penetration-testing-with-gcpbucketbrute
cloud security · low
performing-gcp-security-assessment-with-forseti
cloud security · low
performing-graphql-depth-limit-attack
api security · medium
performing-graphql-introspection-attack
api security · medium
performing-hardware-security-module-integration
cryptography · low
performing-hash-cracking-with-hashcat
cryptography · low
performing-initial-access-with-evilginx3
red teaming · high
performing-iot-security-assessment
penetration testing · medium
performing-jwt-none-algorithm-attack
api security · medium
performing-kerberoasting-attack
red teaming · high
performing-kubernetes-cis-benchmark-with-kube-bench
container security · low
performing-kubernetes-etcd-security-assessment
container security · low
performing-kubernetes-penetration-testing
container security · low
performing-lateral-movement-with-wmiexec
red teaming · high
performing-oauth-scope-minimization-review
identity access management · low
performing-open-source-intelligence-gathering
red teaming · high
performing-phishing-simulation-with-gophish
phishing defense · medium
performing-physical-intrusion-assessment
red teaming · high
performing-post-quantum-cryptography-migration
cryptography · low
performing-privilege-escalation-assessment
penetration testing · medium
performing-privilege-escalation-on-linux
red teaming · high
performing-privileged-account-access-review
identity access management · low
performing-privileged-account-discovery
identity access management · low
performing-serverless-function-security-review
cloud security · low
performing-service-account-audit
identity access management · low
performing-service-account-credential-rotation
identity access management · low
performing-soap-web-service-security-testing
api security · medium
performing-ssl-certificate-lifecycle-management
cryptography · low
performing-thick-client-application-penetration-test
penetration testing · medium
performing-vulnerability-scanning-with-nessus
penetration testing · medium
performing-web-application-penetration-test
penetration testing · medium
performing-wireless-network-penetration-test
penetration testing · medium
remediating-s3-bucket-misconfiguration
cloud security · low
scanning-container-images-with-grype
container security · low
scanning-docker-images-with-trivy
container security · low
scanning-kubernetes-manifests-with-kubesec
container security · low
securing-api-gateway-with-aws-waf
cloud security · low
securing-aws-iam-permissions
cloud security · low
securing-aws-lambda-execution-roles
cloud security · low
securing-azure-with-microsoft-defender
cloud security · low
securing-container-registry-images
cloud security · low
securing-container-registry-with-harbor
container security · low
securing-helm-chart-deployments
container security · low
securing-kubernetes-on-cloud
cloud security · low
securing-serverless-functions
cloud security · low
testing-api-authentication-weaknesses
api security · medium
testing-api-for-broken-object-level-authorization
api security · medium
testing-api-for-mass-assignment-vulnerability
api security · medium
testing-for-xss-vulnerabilities
penetration testing · medium
testing-oauth2-implementation-flaws
api security · medium
testing-websocket-api-security
api security · medium
© 2026 Casky.AI, Inc. · AI Security Investigation