CVE-2026-9165
Red Hat · Red Hat Advanced Cluster Security (RHACS)
A flaw in Red Hat Advanced Cluster Security (RHACS) allows an authenticated user to perform uncontrolled resource consumption via the GraphQL API, potentially causing a denial-of-service.
Executive summary
An authenticated denial-of-service vulnerability in Red Hat Advanced Cluster Security (RHACS) could allow malicious actors to disrupt the management plane by submitting deeply nested GraphQL queries.
Vulnerability
This vulnerability involves uncontrolled resource consumption (CWE-400) within the Central component's authenticated GraphQL API. An attacker with a valid API token can submit specifically crafted, deeply nested queries that exhaust system resources, leading to a denial-of-service for the management plane.
Business impact
The CVSS score of 7.7 (High) reflects the potential for significant operational disruption. Because RHACS is central to security and policy enforcement for Kubernetes environments, a successful denial-of-service attack could leave critical infrastructure unmonitored or unable to enforce security policies, increasing the risk of secondary exploitation or compliance failures.
Remediation
Immediate Action: Review the official Red Hat security advisory and apply the necessary patches or configuration updates provided by the vendor to restrict unauthorized or excessive API usage.
Proactive Monitoring: Monitor API usage patterns and system resource metrics, such as CPU and memory utilization on the RHACS Central component, to identify anomalous query behavior.
Compensating Controls: Implement strict API rate limiting and token management policies to ensure that only authorized, low-privilege service accounts can interact with the management plane.
Exploitation status
Public Exploit Available: False
Analyst recommendation
Given the critical nature of cluster security management, administrators must treat this as a priority update. Ensure all API tokens are audited for least privilege and apply the vendor-supplied patches immediately to prevent potential service degradation.