A newly discovered vulnerability in Red Hat’s OpenShift AI has enterprise users of AI workloads across hybrid cloud environments on high alert. Security researchers found that an attacker with limited permissions could escalate privileges and gain full control of the entire infrastructure—a scary thought for organizations running sensitive AI and data workloads.
The issue is CVE-2025-10725 and has a CVSS score of 9.9 out of 10. Red Hat has classified it as “Important,” but the impact is huge. Experts say this kind of privilege escalation vulnerability could be a launchpad for full compromise of cloud-native systems and affect everything from data confidentiality to production workload stability.
How it works in OpenShift AI
OpenShift AI is designed to simplify the deployment and management of predictive and generative AI models across hybrid cloud infrastructures. It provides an environment where teams can handle data preparation, model training, serving, and monitoring—all within a scalable containerized system.
According to the Red Hat advisory, a low-privileged authenticated user (e.g., a data scientist working from a standard Jupyter notebook) could exploit the flaw to become a cluster administrator.
A Bugzilla report traced the vulnerability to an overly permissive ClusterRole, a configuration that defines what users can do inside OpenShift. Because the role allowed authenticated users to create “Jobs” in any namespace, an attacker could schedule a malicious Job in a privileged namespace (e.g., the one used by OpenShift’s API server operator).
Under certain circumstances, a seemingly insignificant user account can hold the key to the entire kingdom.
Versions affected and Red Hat’s response
The vulnerability affects Red Hat OpenShift AI 2.16, 2.19, 2.21, and 2.22. Red Hat, an IBM company, has released guidance and mitigations. Initially, they recommended administrators restrict permissions and revoke specific ClusterRoleBindings that were binding to broad user groups. But after further analysis, they updated their advisory on October 6, 2025, to provide additional mitigations for users who can’t upgrade yet.
While these are temporary fixes, Red Hat recommends users upgrade to 2.16.3 or later, where the fix is permanent. They stress that continuous monitoring and minimizing cluster-wide permissions are security best practices, especially in multi-tenant environments where data scientists, developers, and operations teams share the same infrastructure.
Why this matters for AI-driven enterprises
At the center of all things AI these days is the hybrid cloud, which means flexibility and scalability. However, it also introduces a whole host of complexity, including layers of permissions, automation, and integration, which creates a perfect storm for attacks like this one. Some security analysts are saying this OpenShift AI vulnerability is a stark reminder of just how quickly the pace of AI platform innovation is leaving traditional access control strategies in the dust.
For organizations running AI workloads, this flaw puts center stage the need for zero trust—and to get into the habit of running regular audits on user roles. Even users who are authenticated can become a problem if their permissions are too broad or totally unisolated. As Red Hat and others keep pushing AI management platforms forward—and that's to be expected—the challenge is going to remain the same: finding a way to balance usability with security.
