Red Hat OpenShift AI: Multiple Critical Security Vulnerabilities (CVE-2026-15378, CVE-2026-15143)
This text was generated using artificial intelligence (AI).Update July 10, 2026: In addition, CVE-2026-15143 (CVSS 9.3) has been disclosed. This additional blind SSRF vulnerability also affects the guardrail detectors-component and allows attackers to exploit the file_type-Detects unauthorized access to internal systems. See below for details.
On July 10, 2026, two critical vulnerabilities were discovered in the component guardrail detectors from Red Hat OpenShift AI published. Each vulnerability has a CVSS score of 9.3 (Critical) have been assessed and allow a remote, unauthenticated attacker to gain access to sensitive internal systems and data through server-side request forgery (SSRF). As of July 10, 2026, there are no indications of active exploitation of these vulnerabilities in the wild.
The Facts at a Glance
- CVE-2026-15378: Blind SSRF via a specially crafted XML Schema Definition (XSD)
- CVE-2026-15143: Blind SSRF via the file_type-Detector using any XSD
- CVSS Score: 9.3 (Critical) in each case
- Affected component: guardrail detectors in Red Hat OpenShift AI
- Attack vector: Network (AV:N), no authentication required (PR:N)
- Patch Status: As of the date of publication (July 10, 2026), no specific patched versions are yet known for either of these CVEs.
Technical Details on CVE-2026-15378
According to the advisory published by Red Hat, an attacker can trigger a blind server-side request forgery by sending a specially crafted XML Schema Definition (XSD) to the affected component. In this type of attack, the vulnerable server is tricked into sending requests to other systems on behalf of the attacker. Such requests can bypass firewalls and other protective mechanisms because they originate from a trusted internal source.
The CVSS score CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N emphasizes the high level of criticality:
- AV:N (Network): The attack can be carried out over the network.
- AC:L (Low): The implementation is not particularly complex.
- PR:N (None): No privileges are required to carry out the attack.
- UI:N (None): No user interaction is required.
According to Red Hat Bugzilla, the vulnerability is listed under ID 2498941.
Technical Details on CVE-2026-15143
CVE-2026-15143 is another blind SSRF vulnerability in the guardrail detectors-component. The attack vector runs through the file_type-detector, whereby an attacker can also trigger a server-side request forgery by injecting an arbitrary XML Schema Definition (XSD). The technical characteristics correspond to CVE-2026-15378:
- CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
- CVSS Score: 9.3 (Critical)
- Attack path: Network-based, no authentication required
Both vulnerabilities allow access to cloud metadata services, the Kubernetes API, internal MinIO storage, and other network endpoints, as well as the ability to read local files such as service account tokens and pod secrets.
Business Risks Posed by SSRF Vulnerabilities
A successful attack on Red Hat OpenShift AI Exploitation of CVE-2026-15378 or CVE-2026-15143 can have far-reaching consequences, particularly in cloud and Kubernetes environments. Direct risks include:
- Compromised Cloud Accounts: Attackers can access cloud metadata services and steal the credentials stored there.
- Migrating Kubernetes Clusters: Access to the Kubernetes API can lead to the complete compromise of the cluster.
- Access to internal data storage: Internal systems such as MinIO storage or other network endpoints become accessible.
- Theft of login credentials: These vulnerabilities allow attackers to read local files, enabling them to gain access to service account tokens or secrets stored in pods.
This information can serve as a starting point for further attacks within the IT infrastructure. The presence of two independent SSRF vectors in the same component significantly increases the attack surface.
Recommended Measures and Compliance Considerations
Red Hat has confirmed both vulnerabilities. As of the date of publication, no specific patched versions are known (as of July 10, 2026); likewise, no specific affected version numbers have been published. Operators of Red Hat OpenShift AI All production installations should use the guardrail detectors- Treat the component as potentially affected and take the following steps immediately:
- Check system status: Identify all instances of Red Hat OpenShift AI in your infrastructure.
- Follow updates: Follow the official Red Hat Security Advisories for CVE-2026-15378 and CVE-2026-15143 Check for available updates and install them as soon as they are available.
Proactive management of such vulnerabilities is a key component of information security management systems (ISMS) in accordance with ISO 27001 and a requirement under regulations such as NIS-2. An established process for vulnerability and patch management is essential for maintaining compliance.
In addition, companies and government agencies in the DACH region are subject to specific legal obligations: If a successful attack exploiting these vulnerabilities results in unauthorized access to personal data, the reporting requirement under Art. 33 of the GDPR within 72 hours to the competent supervisory authority. Operators of essential facilities as defined in the NIS-2 Directive are also required to maintain a verifiable vulnerability management system and to report significant security incidents immediately. The BSI generally recommends prioritizing the installation of available security updates for vulnerabilities rated as critical.
How LocateRisk Helps with Risk Mitigation
Vulnerabilities such as CVE-2026-15378 and CVE-2026-15143 highlight the importance of continuously monitoring external IT infrastructure and the security posture of suppliers.
- External Attack Surface Management (EASM): Red Hat OpenShift AI is often operated as a service on customer-owned domains and is therefore part of the external attack surface. LocateRisk helps IT teams identify exposed systems—including forgotten subdomains, shadow IT, and uncataloged cloud assets—and prioritize potentially vulnerable assets before they can be actively exploited.
- Vendor Risk Management (VRM): Continuous monitoring of the security of technology providers such as Red Hat is crucial. LocateRisk evaluates the security performance of third-party providers and alerts organizations to critical vulnerabilities or a decline in security levels. This enables systematic management of risks in the supply chain.
The combination of an external assessment of a company’s own infrastructure (EASM) and vendor risk management (VRM) helps companies systematically reduce and identify at an early stage the risks posed by vulnerabilities in third-party software.
Sources and further information
Frequently asked questions
A Server-Side Request Forgery (SSRF) is a security vulnerability in which an attacker tricks a server into sending a request to a resource controlled by the attacker or to an internal resource. In this process, the server acts as a proxy, which can be used to bypass firewalls and gain access to internal systems.
As of the disclosure date (July 10, 2026), Red Hat has not published any specific affected or patched version numbers for either CVE. Administrators should check all production RHOAI installations for the guardrail detectors- Treat the component as potentially affected and continuously check the official security advisories for updated information.
As of the publication date of this article (July 10, 2026), no specific patched versions are yet known for either vulnerability. Organizations using Red Hat OpenShift AI should regularly check the official Red Hat Security Advisories for available updates and apply them immediately upon release. ## Do you know your external attack surface? LocateRisk continuously identifies and assesses your external IT systems for security vulnerabilities. This way, you always know where your company is vulnerable. Request a free safety check