CVE-2025-2843: Observability Operator is vulnerable to Incorrect Privilege Assignment through its Custom Resource MonitorStack
(updated )
A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with ClusterRole upon deployment of the Namespace-Scoped Custom Resource MonitorStack. This issue allows an adversarial Kubernetes Account with only namespaced-level roles, for example, a tenant controlling a namespace, to create a MonitorStack in the authorized namespace and then elevate permission to the cluster level by impersonating the ServiceAccount created by the Operator, resulting in privilege escalation and other issues.
References
- access.redhat.com/errata/RHSA-2025:21146
- access.redhat.com/security/cve/CVE-2025-2843
- bugzilla.redhat.com/show_bug.cgi?id=2355222
- github.com/advisories/GHSA-mj6p-p843-x5wc
- github.com/rhobs/observability-operator
- github.com/rhobs/observability-operator/commit/98b927fab755decd6e030ac6af5c005879bab020
- github.com/rhobs/observability-operator/releases/tag/v1.3.0
- nvd.nist.gov/vuln/detail/CVE-2025-2843
Code Behaviors & Features
Detect and mitigate CVE-2025-2843 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →