AI/ML, AI benefits/risks, Identity, Decentralized identity and verifiable credentials, Exposure management

RedHat mitigates OpenShift AI flaw allowing privilege escalation

Innovative access control system with biometric authentication, secure data storage, and permission management features, providing a comprehensive solution for safeguarding sensitive information

RedHat on Sept. 28 reported that it found a 9.9 flaw in its OpenShift AI Service that could let a low-privileged attacker with access to an authenticated account — such as a data scientist using a Jupyter notebook — to escalate their privileges to a full cluster administrator.

In its advisory, Red Hat said the attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications it’s hosting.

Built using open-source technologies, RedHat’s website said OpenShift AI offers “trusted, operationally-consistent capabilities for teams to experiment, serve models, and deliver innovative applications.”

To mitigate the flaw — CVE-2025-10725 — RedHat recommended that security teams grant the permission to create jobs on a more granular, as-needed basis to specific users or groups, adhering to the principle of least privilege. The vendor also advised teams to avoid granting broad permissions to system-level groups.

"Although Red Hat says the OpenShift AI vulnerability isn't critical, we advise caution,” said John Carberry, solution sleuth at Xcape, Inc. “While it's not an urgent, immediate threat, the flaw could be combined with other vulnerabilities or misconfigurations within AI/ML pipelines.”

Carberry added that Red Hat's assessment is technically accurate: the vulnerability isn't critical on its own. However, teams shouldn't ignore it because in AI/ML environments, where data and model integrity are crucial, even minor flaws can have significant consequences if exploited cleverly, said Carberry.

“Administrators are encouraged to practice least privilege when granting access to system-level groups to prevent escalation,” said Carberry. “Red Hat might be downplaying this to avoid alarm, but anyone serious about security should apply the patch immediately, particularly if OpenShift AI is used for vital tasks.”

Graham Neray, co-founder and chief executive officer at Oso, added that security teams should take the OpenShift Ai flaw seriously, explaining that a seemingly small permissions gap can escalate into control of critical infrastructure.

Neray pointed out that broken access control rose to No. 1 in the OWASP Top 10 list of AppSec failures, and the explosion of AI has expanded the surface area for attack. Neray said with AI, there are more automated actions, more dynamic systems, more opportunities for mistakes to compound.

“Authorization can’t be an afterthought,” said Neray. “We need to build fine-grained, least-privilege from the start to provide the guardrails needed to keep sensitive data and infrastructure secure, especially as AI becomes mainstream.”

Agnidipta Sarkar, chief evangelist at ColorTokens, added that Jupyter notebooks are widely used in academic and commercial R&D activities, and MFA rarely gets used. Coupled with the abundant availability of stolen usernames and passwords, Sarkar said they are an easy target for attackers.  

“In addition to taking over the cluster, the attacker can launch malicious pods that can be used as command-and-control to perform reconnaissance of other systems in the network and move laterally to vulnerable systems,” said Sarkar. “Security teams should also audit their infrastructure to identify any shadow OpenShiftAI deployments and ensure that the mitigations are applied immediately.”

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds