Critical privilege escalation flaw in Red Hat OpenShift AI enables cluster takeover
Take action: If you run Red Hat OpenShift AI clusters, check for and remove any ClusterRoleBinding that grants the kueue-batch-user-role to the system:authenticated group - this binding allows any logged-in user (including basic data scientist accounts) to escalate to full cluster admin and take complete control of your entire environment. Review your role bindings right now and grant job-creation permissions only to specific users who truly need them.
Learn More
Red Hat is reporting a critical security vulnerability in its OpenShift AI service that allows attackers with minimal system access to achieve complete cluster compromise.
The flaw is tracked as CVE-2025-10725 (CVSS score 9.9) and is caused by an overly permissive ClusterRoleBinding that indiscriminately associates the built-in system:authenticated group with the kueue-batch-user-role. This design effectively grants any authenticated user in the cluster broad job-creation rights across the entire environment, instead of restricting these elevated permissions to specific, authorized users or groups.
In typical deployment scenarios, users such as data scientists operating standard Jupyter notebook accounts should possess only limited rights to submit and manage their own workloads. With this binding in place, even low-privileged accounts can invoke the batch.kueue.openshift.io API to create arbitrary Job and Pod resources. Once this initial foothold is established, attackers can chain privileges by injecting malicious containers or init-containers, crafting jobs that execute with elevated permissions and effectively hijacking the cluster control plane.
Once administrative privileges are obtained, threat actors gain the ability to steal sensitive data stored within pods and persistent volumes, disrupt or completely disable mission-critical services, deploy backdoors or malware for persistent access, and seize control of underlying infrastructure components.
Red Hat has classified this vulnerability as "Important" because exploitation requires an authenticated account with valid login credentials. Security researchers and industry analysts emphasize that the practical risk remains critical since organizations grant a large number of data scientists, analysts, and researchers access to work on such clusters for their normal work. The prerequisite authentication barrier is often trivially low.
Red Hat strongly recommends that administrators implement strict least-privilege principles immediately. Organizations should revoke the ClusterRoleBinding by removing any bindings that attach the kueue-batch-user-role to the system:authenticated group.
Job-creation permissions should be granted on a granular, as-needed basis exclusively to specific users or groups that legitimately require batch job capabilities. Organizations should avoid granting broad permissions to system-level groups as a matter of policy.
