CVE-2026-5483
published 2026-04-10CVE-2026-5483: A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for the…
PriorityP264critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.49%
38.5th percentile
A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain unauthorized access to Kubernetes resources.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| redhat | openshift_ai | — | — |
| redhat | openshift_ai | — | — |
| redhat | openshift_ai | >= 2.16 < 2.16.4 | 2.16.4 |
| redhat | openshift_ai | >= 2.25 < 2.25.4 | 2.25.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable NodeJS endpoint that leaks Kubernetes Service Account tokens is `/api/nim-serving/:nimResource` — monitor or restrict access to this path in odh-dashboard. ↗
- →Exploitation requires authenticated access to the odh-dashboard — audit dashboard authentication logs for unexpected or anomalous access to the NIM serving endpoint. ↗
- →The endpoint only leaks a token if the NIM Account CR and the referenced secret both exist on the cluster; a 404 response indicates no token was leaked — correlate non-404 responses to `/api/nim-serving/` as high-fidelity signals. ↗
- ·Exploitation requires the NIM Account CR to exist on the cluster (version 2.25+); clusters without NIM integration configured are not exploitable via this path. ↗
- ·If patching is not immediately possible, disabling or removing the NIM (NVIDIA Inference Microservice) integration from RHOAI mitigates the vulnerability. ↗
- ·The packages rhoai/odh-mod-arch-gen-ai-rhel9, rhoai/odh-mod-arch-maas-rhel9, and rhoai/odh-mod-arch-model-registry-rhel9 are confirmed Not Affected. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vendor_redhat8.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w59f-v72r-w493: A flaw was found in odh-dashboard in Red Hat Openshift AI
ghsa_unreviewed·2026-04-10
CVE-2026-5483 [HIGH] CWE-201 GHSA-w59f-v72r-w493: A flaw was found in odh-dashboard in Red Hat Openshift AI
A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain unauthorized access to Kubernetes resources.
Red Hat
odh-dashboard: ODH Dashboard Kubernetes Service Account Exposure
vendor_redhat·2026-04-10·CVSS 8.5
CVE-2026-5483 [HIGH] CWE-201 odh-dashboard: ODH Dashboard Kubernetes Service Account Exposure
odh-dashboard: ODH Dashboard Kubernetes Service Account Exposure
A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain unauthorized access to Kubernetes resources.
Statement: A flaw in the `odh-dashboard` component of Red Hat OpenShift AI allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This vulnerability could enable an attacker to gain unauthorized access to Kubernetes resources within the OpenShift AI environment.
The NIM serving API endpoint (`/api/nim-serving/:nimResource`) returns the full K8 client response including the dashbo
No detection rules found.
No public exploits indexed.
https://access.redhat.com/errata/RHSA-2026:7397https://access.redhat.com/errata/RHSA-2026:7398https://access.redhat.com/errata/RHSA-2026:7403https://access.redhat.com/errata/RHSA-2026:7404https://access.redhat.com/security/cve/CVE-2026-5483https://bugzilla.redhat.com/show_bug.cgi?id=2454764https://access.redhat.com/errata/RHSA-2026:7397https://access.redhat.com/errata/RHSA-2026:7398https://access.redhat.com/errata/RHSA-2026:7403https://access.redhat.com/errata/RHSA-2026:7404https://access.redhat.com/security/cve/CVE-2026-5483https://bugzilla.redhat.com/show_bug.cgi?id=2454764https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-5483.json
2026-04-10
Published