A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. WMCO establishes SSH connections to Windows worker nodes without verifying the remote server host key. An adjacent-network attacker who can intercept or redirect WMCO's SSH session can capture WICD and kubelet bootstrap credentials transferred during node configuration, enabling compromise of Windows node identities in the cluster.
References
| Link | Resource |
|---|---|
| https://access.redhat.com/security/cve/CVE-2026-54100 | Vendor Advisory |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487953 | Issue Tracking Vendor Advisory |
| https://access.redhat.com/security/cve/CVE-2026-54100 | Vendor Advisory |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487953 | Issue Tracking Vendor Advisory |
| https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-54100.json | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
08 Jul 2026, 15:10
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:redhat:openshift_container_platform:*:*:*:*:*:*:*:* cpe:2.3:a:redhat:windows_machine_config_operator:-:*:*:*:*:*:*:* |
|
| First Time |
Redhat windows Machine Config Operator
Redhat Redhat openshift Container Platform |
|
| References | () https://access.redhat.com/security/cve/CVE-2026-54100 - Vendor Advisory | |
| References | () https://bugzilla.redhat.com/show_bug.cgi?id=2487953 - Issue Tracking, Vendor Advisory | |
| References | () https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-54100.json - Vendor Advisory |
30 Jun 2026, 03:21
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
|
| References | () https://access.redhat.com/security/cve/CVE-2026-54100 - | |
| References | () https://bugzilla.redhat.com/show_bug.cgi?id=2487953 - |
22 Jun 2026, 14:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-22 14:17
Updated : 2026-07-08 15:10
NVD link : CVE-2026-54100
Mitre link : CVE-2026-54100
CVE.ORG link : CVE-2026-54100
JSON object : View
Products Affected
redhat
- windows_machine_config_operator
- openshift_container_platform
CWE
CWE-295
Improper Certificate Validation
