Headline
GHSA-cc8c-28gj-px38: Misconfigured Internal Proxy in runtimes-inventory-rhel8-operator Grants Standard Users Full Cluster Administrator Access
A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster’s main administrative credentials to any command it receives, instead of only the specific reports it is supposed to handle.
This allows a standard user within the cluster to send unauthorized commands to the management platform, effectively acting with the full permissions of the cluster administrator. This could lead to unauthorized changes to the cluster’s configuration or status on the Red Hat platform.
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-11393
Misconfigured Internal Proxy in runtimes-inventory-rhel8-operator Grants Standard Users Full Cluster Administrator Access
High severity GitHub Reviewed Published Dec 15, 2025 to the GitHub Advisory Database • Updated Dec 16, 2025
Package
gomod github.com/RedHatInsights/runtimes-inventory-operator (Go)
Affected versions
<= 0.0.0-20251211184433-5123422abee1
Description
Published to the GitHub Advisory Database
Dec 15, 2025
Last updated
Dec 16, 2025
EPSS score