The Red Hat team has disclosed a serious in Red Hat OpenShift AI, a platform designed to build, deploy, and manage machine learning (ML) models across hybrid cloud environments. Tracked as CVE-2025-10725, the carries a CVSS score of 9.9, making it one of the most severe issues discovered in recent OpenShift AI releases.
The stems from overly permissive role bindings within OpenShift AI. As the advisory explains: “A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator. This allows for the complete compromise of the cluster’s confidentiality, integrity, and availability.”
Exploitation of this could allow an attacker to:
- Steal sensitive datasets and ML models.
- Disrupt all services hosted within the cluster.
- Take control of the underlying infrastructure, resulting in a total breach of the platform.
Despite the near-catastrophic potential of this vulnerability, Red Hat classified it as Important rather than Critical. The reasoning, according to the advisory, is that “it requires minimal authentication for the remote attacker to jeopardize an environment.”
In other words, attackers need at least some level of legitimate access—such as a compromised user account—before they can exploit the flaw.
Until patches are fully applied, Red Hat recommends that administrators immediately adjust their permission model to follow the principle of least privilege. Specifically, the advisory instructs:
- Remove the ClusterRoleBinding that associates the kueue-batch-user-role with the system:authenticated group. The permission to create jobs should be granted on a more granular, as-needed basis to specific users or groups
- Avoid granting broad permissions to system-level groups.
These mitigations reduce the risk of unauthorized privilege escalation and limit the blast radius of a potential attack.
