CVE-2025-11393

HIGH 8.7

Insights-runtimes-tech-preview/runtimes-inventory-rhel8-operator: improper proxy configuration allows unauthorized administrative commands

CVSS Score

8.7

EPSS Score

0.0%

EPSS Percentile

13th

A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster's main administrative credentials to any command it receives, instead of only the specific reports it is supposed to handle. This allows a standard user within the cluster to send unauthorized commands to the management platform, effectively acting with the full permissions of the cluster administrator. This could lead to unauthorized changes to the cluster's configuration or status on the Red Hat platform.

CWE	CWE-441
Vendor	red hat
Product	red hat lightspeed (formerly insights) for runtimes 1
Published	Dec 15, 2025
Last Updated	Mar 26, 2026

Stay Ahead of the Next One

Get instant alerts for red hat red hat lightspeed (formerly insights) for runtimes 1

Be the first to know when new high vulnerabilities affecting red hat red hat lightspeed (formerly insights) for runtimes 1 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

Red Hat / Red Hat Lightspeed (formerly Insights) for Runtimes 1

All versions affected

Red Hat / Red Hat Runtimes Inventory Operator

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/errata/RHSA-2025:23236 access.redhat.com: https://access.redhat.com/security/cve/CVE-2025-11393 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2402032