A severe security flaw has been disclosed in the Red Hat OpenShift AI service that could allow attackers to escalate privileges and take control of the complete infrastructure under certain conditions.
OpenShift AI is a platform for managing the lifecycle of predictive and generative artificial intelligence (GenAI) models at scale and across hybrid cloud environments. It also facilitates data acquisition and preparation, model training and fine-tuning, model serving and model monitoring, and hardware acceleration.
The vulnerability, tracked as CVE-2025-10725, carries a CVSS score of 9.9 out of a maximum of 10.0. It has been classified by Red Hat as "Important" and not "Critical" in severity owing to the need for a remote attacker to be authenticated in order to compromise the environment.
"A low-privileged attacker with access to an authenticated account, for example, as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator," Red Hat said in an advisory earlier this week.
"This allows for the complete compromise of the cluster's confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it."
According to a Bugzilla report, the vulnerability is the result of an overly permissive ClusterRole that allows authenticated users to escalate privileges to that of a cluster administrator.
"This grants any authenticated entity, including low-privileged service accounts for user workbenches, the permission to create OpenShift Jobs in any namespace," per the report. "An attacker can abuse this permission to schedule a malicious Job in a privileged namespace (e.g., openshift-apiserver-operator), configuring it to run with a high-privilege ServiceAccount."
As a result, an attacker could abuse this behavior to schedule a job that can exfiltrate the ServiceAccount token, enabling them to progressively pivot and compromise more powerful accounts, ultimately achieving root access on cluster master nodes and leading to a full cluster takeover.
The following versions are affected by the flaw -
- Red Hat OpenShift AI 2.19
- Red Hat OpenShift AI 2.21
- Red Hat OpenShift AI (RHOAI)
While previously the IBM subsidiary recommended users to avoid granting broad permissions to system-level groups and revoke the ClusterRoleBinding that associates the kueue-batch-user-role with the system:authenticated group, it has since revised the alert to note that the mitigations "do not meet" its "Product Security criteria comprising ease of use and deployment."
(The story was updated after publication with additional details of the security vulnerability and reflect Red Hat's changes to the advisory.)
