Red Hat has found a critical security vulnerability in its OpenShift AI platform, versions 2.19 and 2.21. The vulnerability, now known as CVE-2025-10725, has the dubious honor of having been assigned a CVSS rating of 9.9 out of 10. That strong rating categorizes it as “Important” in the severity level. The vulnerability is not rated “Critical” due to the requirement of authentication for attackers to exploit. This vulnerability is more than enough for them to privilege-escalate and take full control of the hybrid cloud infrastructure.
A big security problem stems from an overly permissive default ClusterRole in OpenShift AI. This vulnerability would enable authenticated users to gain permissions and access beyond that of a cluster administrator. This vulnerability is extremely dangerous, enabling adversaries to achieve full cluster confidentiality, integrity, and availability.
Details of the Vulnerability
The vulnerability for this CVE is limited to Red Hat OpenShift AI 2.19 and 2.21. According to Red Hat, “a low-privileged attacker with access to an authenticated account, for example, as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator.”
This increased risk can result in catastrophic events for companies using Red Hat OpenShift AI. As stated by Red Hat, “this allows for the complete compromise of the cluster’s confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it.”
The vulnerability is a result of a too permissive ClusterRole. It provides for any authenticated owner, low-privileged service accounts in user workbenches, to submit OpenShift Jobs in all namespaces. This wide-ranging allowance greatly widens the attack surface for privilege escalation.
Recommendations and Mitigations
Given this vulnerability, Red Hat has previously advised customers not to give excessive permissions to system-level groups. Additionally, IBM’s subsidiary had advised revoking the ClusterRoleBinding that associates the kueue-batch-user-role with the system:authenticated group.
Red Hat has indicated that these mitigations “do not meet” their “Product Security criteria comprising ease of use and deployment.” Accordingly, organizations might have the best of intentions to deploy effective safeguards but struggle to do so without making radical changes to their current deployments.
Red Hat has updated its alert about this security vulnerability to clarify just how serious it is for users. Organizations are urged to take prompt action to review their OpenShift AI deployments and apply necessary changes to mitigate risks associated with this vulnerability.