Medium6.8Red Hat Linux Updated
Cluster Logging Operator creates and forwards ServiceAccount tokens without verifying CLF creator authorization
CVE-2026-10609 Published Jun 23, 2026Updated by vendor Jun 23, 2026
Affected products & platforms
Red Hat LinuxUnclassified
Summary
Cluster Logging Operator creates and forwards ServiceAccount tokens without verifying CLF creator authorization. Red Hat rates this moderate (CVSS 6.8). Weakness: CWE-862.
Mitigation checklist
Recommended fix / mitigation
- Restrict ClusterLogForwarder write access to trusted administrators only. Review existing ClusterRoleBindings and RoleBindings that grant clusterlogforwarders write permission. Apply NetworkPolicy egress restrictions to the collector namespace to prevent collector pods from reaching arbitrary external endpoints. Deploy admission controller policies (OPA/Gatekeeper/Kyverno) to deny CLF resources whose outputs point to non-allowlisted URLs. Monitor for ClusterLogForwarder resources with outputs pointing to external URLs, especially those using token.from: serviceAccount.
Official advisory · high-confidence parse· fetched 7 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.