Pink Hat printed safety advisory CVE-2025-10725, detailing an Essential severity flaw within the OpenShift AI Service that might allow low-privileged attackers to raise their permissions to full cluster administrator and compromise the whole platform.
With a CVSS v3 base rating of 9.9, this vulnerability poses a important danger for organizations leveraging Pink Hat OpenShift AI for machine studying workloads.
Privilege Escalation Vulnerability (CVE-2025-10725)
The basis reason behind CVE-2025-10725 lies in an excessively permissive ClusterRoleBinding associating the kueue-batch-user-role with the system:authenticated group.
In typical deployments, information scientists and different authenticated customers entry Jupyter notebooks and AI pipeline options with minimal privileges.
Nevertheless, by exploiting this misconfiguration, an attacker can invoke the batch.kueue.openshift.io API to create arbitrary Job and Pod sources.
Inject malicious containers or init-containers that execute oc or kubectl instructions, chain privilege elevation inside the cluster by binding newly created service accounts to higher-privilege roles.
In the end, assume the cluster-admin function and achieve unrestricted learn/write entry to all cluster objects. This exploit utterly undermines the confidentiality, integrity, and availability of hosted workloads, permitting theft of delicate information, service disruption, and full infrastructure takeover.
Threat FactorsDetailsAffected ProductsRed Hat OpenShift AI 2.19 (RHEL 8)Pink Hat OpenShift AI 2.21 (RHEL 9)registry.redhat.io/rhoai/odh-rhel8-operatorregistry.redhat.io/rhoai/odh-rhel9-operatorImpactPrivilege escalationExploit PrerequisitesValid authenticated person accountAccess to OpenShift AI ServiceLow-privileged account, Entry to Jupyter pocket book or comparable interface, Potential to work together with batch.kueue.openshift.io APICVSS 3.1 Score9.9 (Essential)
Mitigations
Pink Hat has launched fixes within the following errata, updating the OpenShift AI Operator for Pink Hat Enterprise Linux 8 and 9:
RHBA-2025:16984 (OpenShift AI 2.19 on RHEL 8)
RHBA-2025:16983 (OpenShift AI 2.21 on RHEL 9)
Directors ought to apply these updates instantly. As a workaround earlier than patching, take away the problematic ClusterRoleBinding:
Then, grant job-creation permissions explicitly to trusted identities. This method enforces the Precept of Least Privilege, guaranteeing solely designated customers or teams can submit AI jobs.
Pink Hat classifies CVE-2025-10725 as Essential slightly than Essential as a result of the attacker should maintain a sound authenticated account, albeit with low privileges.
Nonetheless, the influence stays extreme. Organizations working Pink Hat OpenShift AI ought to remediate promptly to stop full cluster compromise and cling to hardened RBAC configurations going ahead.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
