CVE-2025-6017 MEDIUM

CVE-2025-6017: Rhacm: users with clusterreader role can see credentials from managed-clusters

Vendor Red Hat
Product Red Hat Advanced Cluster Management for Kubernetes 2
Weakness CWE-359
Published July 2, 2025
Last update November 20, 2025

CVSS base score

5.5/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A flaw was found in Red Hat Advanced Cluster Management through versions 2.10, before 2.10.7, 2.11, before 2.11.4, and 2.12, before 2.12.4. This vulnerability allows an unprivileged user to view confidential managed cluster credentials through the UI. This information should only be accessible to authorized users and may result in the loss of confidentiality of administrative information, which could be leaked to unauthorized actors.

Key dates

02Disclosure timeline

July 2, 2025 CVE published
November 20, 2025 Record updated