Security Advisory - Published 2026-07-06 - Kubernetes Security Platform

CVE-2026-9165: check RHACS Central GraphQL exposure, API load, and audit logs

CVE-2026-9165 affects Red Hat Advanced Cluster Security for Kubernetes Central when authenticated GraphQL API requests can consume excessive resources. Focus on patch status, API exposure, and Central health during the exposure window.

Defensive scope: check clusters and RHACS tenants you own or are approved to administer. This page does not describe load-generation steps.

Quick facts

  • CVE: CVE-2026-9165
  • Product: Red Hat Advanced Cluster Security for Kubernetes
  • Severity: 7.7 (7.7)
  • Affected surface: Central GraphQL API
  • Review: API logs and Central health

What to check

  • RHACS Central version and whether the fixed Red Hat update is applied.
  • Central GraphQL API access from users, service accounts, automation, and external networks.
  • API latency, Central CPU/memory, pod restarts, and availability alerts during the exposure window.
  • Audit logs for unusually expensive authenticated API usage.

Safe fix path

  1. Apply the Red Hat update for RHACS Central.
  2. Limit GraphQL API reachability to trusted operators and automation paths.
  3. Review Central health, pod restarts, and API logs before closing the issue.
  4. Rotate affected service-account tokens if unusual authenticated API activity appears in audit logs.

Compromise indicators

  • Central resource spikes tied to authenticated API usage.
  • Unexpected Central restarts, failed health checks, or long API latency windows.
  • Service accounts calling the API outside their usual schedule.
  • API activity from networks that should not reach Central.

When to ask Ping7 for repair

Use Ping7 CVE Repair when RHACS Central had availability impact, audit logs are hard to interpret, or service-account rotation must be coordinated with cluster operations.

References