CVE-2026-15063 PUBLISHED

Trustyai-service-operator: trustyai service operator: gorch port bypass when auth is enabled

Assigner: redhat
Reserved: 08.07.2026 Published: 08.07.2026 Updated: 08.07.2026

A flaw was found in the gorch service template, which is part of the trustyai-service-operator. Even when authentication is enabled, the gorch service exposes unproxied orchestrator and detector metrics ports. This allows any pod on the cluster network to directly access these ports, bypassing the kube-rbac-proxy and its authentication mechanisms. This could lead to unauthorized access to the orchestrator and detector metrics.

Metrics

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CVSS Score: 6.3

Product Status

Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: affected

References

Problem Types

  • Missing Authentication for Critical Function CWE