SB2026070157 - Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.16
Published: July 1, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 vulnerabilities.
1) Improper Authorization (CVE-ID: CVE-2026-33186)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to gain access to bypass authorization.
The vulnerability exists due to authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server to bypass authorization.
2) Resource exhaustion (CVE-ID: CVE-2026-34043)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in the serialize() function when serializing a specially crafted array-like object. A remote attacker can supply a crafted array-like object to cause a denial of service.
Exploitation can cause 100% CPU usage and the process may hang indefinitely.
3) Information disclosure (CVE-ID: CVE-2026-44486)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper handling of sensitive headers in the Node.js HTTP adapter in lib/adapters/http.js when following redirects after proxy settings are re-evaluated from an authenticated proxy to a direct connection. A remote attacker can cause the application to follow a crafted redirect so that proxy credentials are sent to the redirect target to disclose sensitive information.
Only the Node.js HTTP adapter is affected, and exploitation requires automatic redirects to be enabled with an authenticated proxy configuration.
4) Insertion of Sensitive Information Into Sent Data (CVE-ID: CVE-2026-44487)
CWE-ID: CWE-201 - Insertion of Sensitive Information Into Sent Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to insertion of sensitive information into sent data in the Node.js HTTP adapter when following an HTTP-to-HTTPS redirect from a proxied request to a direct request. A remote attacker can trigger a crafted redirect flow to disclose sensitive information.
Only Node.js requests using the HTTP adapter are affected, and exploitation requires redirects to be followed and proxy credentials to be configured for the initial HTTP request but not for the redirected HTTPS request.
5) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-44488)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the fetch adapter when processing requests and responses with configured finite size limits. A remote attacker can supply an oversized response, a large data: URL, or an oversized request body to cause a denial of service.
The issue affects server-side usage where applications rely on maxContentLength or maxBodyLength being enforced by the fetch adapter.
6) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-44492)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to the "shouldBypassProxy" does not normalise IPv4-mapped IPv6 addresses. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
7) Prototype pollution (CVE-ID: CVE-2026-44494)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation in config.proxy. A remote attacker can pass specially crafted input to the application and perform a man-in-the-middle (MitM) attack, which can result in information disclosure or data manipulation.
8) Prototype pollution (CVE-ID: CVE-2026-44495)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute injected code in the Axios request-processing context, disclose sensitive information, tamper with response data, or cause a denial of service.
The vulnerability exists due to improperly controlled modification of object prototype attributes in Axios request config processing and response transformation when handling requests after Object.prototype has been polluted with a crafted transformResponse value. A remote attacker can pollute Object.prototype.transformResponse through a separate prototype-pollution primitive to execute injected code in the Axios request-processing context, disclose sensitive information, tamper with response data, or cause a denial of service.
Exploitation requires a separate vulnerability or equivalent capability to control Object.prototype in the same JavaScript process or browser context before Axios merges or validates the request config. Browser and Node usage can both be affected.
9) Inefficient regular expression complexity (CVE-ID: CVE-2026-44496)
CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to inefficient regular expression complexity in lib/helpers/cookies.js read(name) when processing an attacker-controlled XSRF cookie name while reading document.cookie. A remote attacker can supply a crafted cookie name containing regex metacharacters to cause a denial of service.
The issue affects standard browser environments and can freeze the affected browser tab while axios prepares a request. Applications are affected only when attacker-controlled data reaches the XSRF cookie name configuration or an unsafe direct call to the internal cookie helper.
Remediation
Install update from vendor's website.