CVE-2026-46579 – Openshift/router: openshift/router: mtls client certificate spoofing via unstripped x-ssl-client headers on http frontend

CVE ID :CVE-2026-46579

Published : May 29, 2026, 9:50 a.m. | 41 minutes ago

Description :A flaw was found in the OpenShift Router. When a Route has `insecureEdgeTerminationPolicy` set to Allow, the HTTP frontend does not remove `X-SSL-Client-*` headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted `X-SSL-Client-*` headers. As a result, backends relying on these headers for mutual TLS (Transport Layer Security) authentication can be bypassed, enabling the attacker to impersonate client certificate identities.

Severity: 7.4 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-49325 – Indian Scout Bobber 2025 WCM voltage-based shutdown

CVE-2026-49318 – Indian Scout Bobber 2025 Infotainment Digital Round skips PIN entry when WCM is silent at boot

CVE-2026-49317 – Indian Scout Bobber 2025 Infotainment Digital Round skips PIN entry when WCM is silent at boot

CVE-2026-49316 – Indian Scout Bobber 2025 WCM CAN bus-off attack silently bypasses anti-theft shutdown