CVE-2026-10533 MEDIUM

CVE-2026-10533: Openshift: openshift: non-admin user can bypass resourcequota and flood etcd with events causing cluster-wide api degradation

Vendor Red Hat
Product Red Hat OpenShift Container Platform 4
Weakness CWE-770 · Uncontrolled resource consumption
Published June 1, 2026
Last update June 8, 2026

CVSS base score

5.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

What the vulnerability does

01Description

A flaw was found in OpenShift Container Platform. Completed pods with restartPolicy: Never do not count toward ResourceQuota pod limits, and Kubernetes events are not quota-scoped. A non-privileged user who can create pods in a namespace can exploit this to generate a large volume of events that accumulate in etcd, causing API server performance degradation across the cluster.

Key dates

02Disclosure timeline

June 1, 2026 CVE published
June 8, 2026 Record updated