Red Hat OpenShift AI Flaw Opens Door to Full Infrastructure Takeover

A newly disclosed vulnerability in Red Hat OpenShift AI could allow low-privileged users to escalate privileges and seize full control of the hybrid cloud infrastructure. 

The flaw has been assigned a near-maximum CVSS score of 9.9, underscoring its severity for organizations relying on OpenShift AI to run predictive and generative AI workloads.

“A low-privileged attacker with access to an authenticated account, such as a data scientist using a Jupyter notebook, can escalate their privileges to full cluster administrator,” the company stated.  

Exploit could compromise AI workloads

OpenShift AI is widely adopted for managing the lifecycle of machine learning models across hybrid cloud environments. 

The affected versions — OpenShift AI 2.19 and 2.21, along with the Red Hat OpenShift AI Operator images — are integral to organizations deploying large-scale AI pipelines. 

Exploitation of this vulnerability (CVE-2025-10725) could enable attackers to steal sensitive data, disrupt workloads, and compromise the underlying infrastructure, placing sensitive data and critical operations at risk.

Low privilege, full takeover: Inside CVE-2025-10725

At the heart of CVE-2025-10725 is a misconfigured ClusterRoleBinding that ties the kueue-batch-user-role to the broad system:authenticated group. This design oversight essentially extends elevated permissions to every authenticated user in the cluster, rather than restricting them to narrowly defined roles.

In practice, most users — such as data scientists running experiments in Jupyter notebooks — should only have limited rights to submit or manage their own workloads. But with this binding in place, even low-privileged accounts can call the batch.kueue.openshift.io API and create arbitrary Job or Pod resources.

Once that foothold is established, attackers can chain privileges by injecting malicious containers or init-containers. These rogue workloads can run administrative commands like oc or kubectl, impersonating higher-privileged accounts and escalating step by step until they reach the cluster-admin role.

With cluster-admin privileges, the attacker has unrestricted control and can do the following:

• Exfiltrate data: Access and steal secrets, datasets, and IP from cluster storage.
• Disrupt services: Kill Pods, stop jobs, or deploy services that degrade or deny operations.
• Seize infrastructure: Change cluster configs, install persistent backdoors, or pivot to other cloud resources.

While exploitation requires an authenticated account, the barrier is relatively low. In fact, a single compromised or insider account could result in a total compromise of confidentiality, integrity, and availability. In effect, this misconfiguration turns the platform’s shared multi-user design into its greatest vulnerability, exposing entire hybrid AI pipelines to takeover.

Break the attack chain early

Red Hat has issued patches addressing this flaw. However, patching alone may not be sufficient. 

To reduce the risk of privilege escalation and full cluster takeover, organizations should strengthen access controls and continuously monitor for signs of abuse. Key mitigations include:

• Tighten RBAC controls: Remove the problematic ClusterRoleBinding, grant job-creation rights only to trusted groups, and audit role assignments to enforce least privilege.
• Monitor for abnormal activity: Track unusual Pod creations, service account escalations, and suspicious API calls to batch.kueue.openshift.io.
• Use policy enforcement tools: Deploy admission controllers or OPA/Kyverno rules to block untrusted Pods and prevent privilege abuse.
• Segment and secure workloads: Isolate namespaces, restrict network paths, and rotate/scoped service account tokens to limit lateral movement.
• Continuously audit and test: Run cluster security posture scans, maintain audit logs, and conduct IR tabletops for Kubernetes/OpenShift environments.

While these steps reduce immediate risk, the disclosure highlights deeper challenges in securing AI-driven, hybrid cloud environments.

Why AI services are prime cyber targets

This disclosure underscores a growing challenge for enterprises: AI services are becoming high-value targets due to their central role in data pipelines, intellectual property protection, and critical decision-making systems. 

The OpenShift AI flaw illustrates how a single misconfiguration in identity and access management can escalate into a platform-wide breach.

As organizations expand hybrid cloud deployments and adopt GenAI services, RBAC hardening and patch discipline must be treated with the same urgency as traditional OS and application patching. Attackers increasingly exploit cloud-native platforms not through sophisticated zero-days, but through over-permissive defaults and overlooked privilege bindings.

When one misconfiguration can topple an entire cluster, Zero-Trust becomes less a strategy and more a necessity.