Redhat Advanced Cluster Management For Kubernetes — known CVE vulnerabilities
Every CVE whose affected-product data names Redhat Advanced Cluster Management For Kubernetes, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (12)
CVE-2026-4740 — CVSS 8.2 (high): A flaw was found in Open Cluster Management (OCM), the technology underlying Red Hat Advanced Cluster Management (ACM). Improper validation…
CVE-2023-3027 — CVSS 7.8 (high): The grc-policy-propagator allows security escalation within the cluster. The propagator allows policies which contain some dynamically…
CVE-2022-3841 — CVSS 7.8 (high): RHACM: unauthenticated SSRF in console API endpoint. A Server-Side Request Forgery (SSRF) vulnerability was found in the console API…
CVE-2022-27191 — CVSS 7.5 (high): The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain…
CVE-2025-14874 — CVSS 7.5 (high): A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers…
CVE-2022-2238 — CVSS 6.5 (medium): A vulnerability was found in the search-api container in Red Hat Advanced Cluster Management for Kubernetes when a query in the search…
CVE-2025-57851 — CVSS 6.4 (medium): A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd…
CVE-2020-25655 — CVSS 5.7 (medium): An issue was discovered in ManagedClusterView API, that could allow secrets to be disclosed to users without the correct permissions. Views…
CVE-2025-6017 — CVSS 5.5 (medium): A flaw was found in Red Hat Advanced Cluster Management through versions 2.10, before 2.10.7, 2.11, before 2.11.4, and 2.12, before 2.12.4…
CVE-2022-3248 — CVSS 4.4 (medium): A flaw was found in OpenShift API, as admission checks do not enforce "custom-host" permissions. This issue could allow an attacker to…
CVE-2020-25688 — CVSS 3.5 (low): A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test…