cbcvebase.
CVE-2026-5483
published 2026-04-10

CVE-2026-5483: A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for the…

PriorityP264critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.49%
38.5th percentile
A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain unauthorized access to Kubernetes resources.

Affected

4 ranges
VendorProductVersion rangeFixed in
redhatopenshift_ai
redhatopenshift_ai
redhatopenshift_ai>= 2.16 < 2.16.42.16.4
redhatopenshift_ai>= 2.25 < 2.25.42.25.4

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerable NodeJS endpoint that leaks Kubernetes Service Account tokens is `/api/nim-serving/:nimResource` — monitor or restrict access to this path in odh-dashboard.
  • Exploitation requires authenticated access to the odh-dashboard — audit dashboard authentication logs for unexpected or anomalous access to the NIM serving endpoint.
  • The endpoint only leaks a token if the NIM Account CR and the referenced secret both exist on the cluster; a 404 response indicates no token was leaked — correlate non-404 responses to `/api/nim-serving/` as high-fidelity signals.
  • ·Exploitation requires the NIM Account CR to exist on the cluster (version 2.25+); clusters without NIM integration configured are not exploitable via this path.
  • ·If patching is not immediately possible, disabling or removing the NIM (NVIDIA Inference Microservice) integration from RHOAI mitigates the vulnerability.
  • ·The packages rhoai/odh-mod-arch-gen-ai-rhel9, rhoai/odh-mod-arch-maas-rhel9, and rhoai/odh-mod-arch-model-registry-rhel9 are confirmed Not Affected.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vendor_redhat8.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.