Root-access bug in Red Hat OpenShift AI allows full cluster takeover (www.theregister.com)

A near-critical vulnerability (CVE-2025-10725, CVSS 9.9) has been disclosed in Red Hat OpenShift AI that can let a minimally authenticated user—such as a data scientist with a standard Jupyter notebook account—escalate to full cluster administrator and fully compromise cluster confidentiality, integrity and availability. OpenShift AI is widely used to build and manage AI workloads across hybrid clouds, so successful exploitation could expose model training data, pipelines, and infrastructure, or allow attackers to disrupt or seize platforms hosting ML applications. The flaw stems from a misconfiguration: the ClusterRole kueue-batch-user-role is bound to the system:authenticated group, granting any authenticated entity the ability to create OpenShift Jobs in any namespace. An attacker can schedule a job in a privileged namespace, run it with a high-privilege ServiceAccount, exfiltrate that ServiceAccount token, and progressively pivot to take over master nodes and the entire cluster. Red Hat recommends urgently removing the ClusterRoleBinding linking kueue-batch-user-role to system:authenticated and applying least-privilege, granular job-creation permissions; security teams should assume breach, patch quickly, and run an incident-response investigation to confirm whether clusters were already compromised.