A critical flaw in the Red Hat OpenShift AI (RHOAI) service allows attackers with minimal access to escalate privileges and seize full control of entire clusters.
Identified as CVE-2025-10725, the vulnerability stems from an overly permissive ClusterRole assignment that links the built-in system: authenticated group to the kueue-batch-user-role.
This misconfiguration grants any authenticated user broad job-creation rights across the cluster, enabling privilege escalation, data theft, service disruption, and complete infrastructure compromise.
Risk Factor Table
CVE ID | Affected Component | CVSS v3.1 Score (Red Hat) |
---|---|---|
CVE-2025-10725 | Red Hat OpenShift AI Service (rhoai/odh-rhel8-operator, rhoai/odh-rhel9-operator) | 9.9 (Important) |
Vulnerability Details
The flaw resides in a ClusterRoleBinding that indiscriminately associates system: authenticated, which includes any user with a valid login, with the kueue-batch-user-role.
Users such as data scientists operating standard Jupyter notebook accounts gain the ability to create job clusters.
By crafting malicious jobs that run with elevated privileges, an attacker can hijack the cluster control plane.
Once administrative privileges are obtained, the threat actor can:
- Steal sensitive data stored within pods and persistent volumes
- Disrupt or disable mission-critical services
- Deploy backdoors or malware for persistent access
- Control underlying infrastructure components
Red Hat assigns a CVSS v3.1 score of 9.9, rating the issue as Important rather than Critical because exploitation requires authentication.
However, the practical risk is severe, since many organizations grant data scientists and analysts extensive rights for job scheduling and batch workloads.
Organizations that provide broad job-creation permissions to large user groups are particularly exposed.
An attacker exploiting CVE-2025-10725 can move laterally, gaining persistent control over analytics workloads, model training pipelines, and even core platform services.
The vulnerability undermines tenant isolation in multi-tenant environments and can facilitate cross-project attacks.
Mitigation Recommendations
To remediate this vulnerability, administrators should apply strict least-privilege principles:
- Revoke the offending ClusterRoleBinding: Remove any bindings that attach kueue-batch-user-role to system: authenticated.
- Define explicit job-creation roles: Assign the kueue-batch-user-role only to specific user accounts or groups that require batch job permissions.
- Audit existing roles and bindings: Review all ClusterRoleBindings for overly broad assignments and ensure permissions align with actual job requirements.
- Enforce separation of duties: Maintain distinct roles for development, analytics, and administrative functions to limit privilege escalation paths.
These steps reduce the attack surface by restricting administrative capabilities to trusted identities, ensuring that data scientists and other non-administrative users cannot escalate privileges.
CVE-2025-10725 serves as a stark reminder of the dangers inherent in overly permissive role configurations within Kubernetes-powered AI platforms.
Security teams must proactively govern cluster permissions, conduct regular audits of role and binding assignments, and enforce least-privilege policies to guard against privilege escalation.
Vigilant permission management is essential to maintain the integrity of AI-driven services and protect sensitive data and workloads.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates