CVE-2025-11393 — Vulnetix

CVE-2025-11393 PUBLISHED CVSS 8.699999809265137 HIGH

A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster's main administrative credentials to any command it receives, instead of only the specific reports it is supposed to handle. This allows a standard user within the cluster to send unauthorized commands to the management platform, effectively acting with the full permissions of the cluster administrator. This could lead to unauthorized changes to the cluster's configuration or status on the Red Hat platform.

EPSS 0.01% · 0.4th percentile

Risk Scores

CVSS v3.1

8.699999809265137

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

EPSS Score

0.01%

0.4th percentile

Affected Products

Vendor	Product	Versions
github.com	RedHatInsights/runtimes-inventory-operator	0
Red Hat	Red Hat Runtimes Inventory Operator
Red Hat	Red Hat Lightspeed (formerly Insights) for Runtimes 1	*

Timeline

Dec 15, 2025 CVE Published
Dec 16, 2025 CVE Updated
Dec 16, 2025 EPSS Score
Dec 20, 2025 EPSS Score
Dec 24, 2025 EPSS Score
Dec 28, 2025 EPSS Score
Jan 1, 2026 EPSS Score
Jan 5, 2026 EPSS Score
Jan 9, 2026 EPSS Score
Jan 13, 2026 EPSS Score
Jan 16, 2026 EPSS Score
Jan 20, 2026 EPSS Score

References

RHSA-2025:23236 vendor-advisory
https://access.redhat.com/security/cve/CVE-2025-11393 vdb
RHBZ#2402032 issue
https://nvd.nist.gov/vuln/detail/CVE-2025-11393 advisory
https://github.com/RedHatInsights/runtimes-inventory-operator package

Open in Interactive Console →