CVE-2026-4740 HIGH

CVE-2026-4740: Rhacm: open cluster management (ocm): cross-cluster privilege escalation via improper kubernetes client certificate renewal validation

Vendor Red Hat
Product Multicluster Engine for Kubernetes
Weakness CWE-295
Published April 7, 2026
Last update June 30, 2026

CVSS base score

8.2/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A flaw was found in Open Cluster Management (OCM), the technology underlying Red Hat Advanced Cluster Management (ACM). Improper validation of Kubernetes client certificate renewal allows a managed cluster administrator to forge a client certificate that can be approved by the OCM controller. This enables cross-cluster privilege escalation and may allow an attacker to gain control over other managed clusters, including the hub cluster.

Key dates

02Disclosure timeline

April 7, 2026 CVE published
June 30, 2026 Record updated