SB2026070202 - Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.19



SB2026070202 - Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.19

Published: July 2, 2026

Security Bulletin ID SB2026070202
CSH Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 33% Medium 33% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Prototype pollution (CVE-ID: CVE-2026-29063)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to modify object prototype attributes in affected JavaScript objects.

The vulnerability exists due to improper input validation in the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() functions when processing user-supplied input containing __proto__ properties. A remote attacker can send a specially crafted object input to pollute the prototype of base objects, leading to unauthorized property injection and potential privilege escalation.

Prototype pollution occurs without affecting the global Object.prototype, but injected properties can still be accessed through object property lookups even if not visible via Object.keys().


2) Insertion of Sensitive Information Into Sent Data (CVE-ID: CVE-2026-44487)

CWE-ID: CWE-201 - Insertion of Sensitive Information Into Sent Data

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to insertion of sensitive information into sent data in the Node.js HTTP adapter when following an HTTP-to-HTTPS redirect from a proxied request to a direct request. A remote attacker can trigger a crafted redirect flow to disclose sensitive information.

Only Node.js requests using the HTTP adapter are affected, and exploitation requires redirects to be followed and proxy credentials to be configured for the initial HTTP request but not for the redirected HTTPS request.


3) Prototype pollution (CVE-ID: CVE-2026-44494)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber


The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation in config.proxy. A remote attacker can pass specially crafted input to the application and perform a man-in-the-middle (MitM) attack, which can result in information disclosure or data manipulation.


Remediation

Install update from vendor's website.