CVE-2025-2843: 
vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-2843) was discovered in the Observability Operator, affecting its Custom Resource MonitorStack functionality. The vulnerability was disclosed on November 12, 2025, and impacts Kubernetes clusters running the Observability Operator versions prior to 1.3.0. This vulnerability is classified as an Incorrect Privilege Assignment issue (CWE-266) with a CVSS v3.1 score of 8.8 (HIGH) (NVD, Miggo).

The vulnerability stems from the Observability Operator's design where it creates a ServiceAccount with ClusterRole privileges upon deployment of the Namespace-Scoped Custom Resource MonitorStack. The MonitorStack Custom Resource is defined at the Namespace scope, allowing accounts with only namespaced-level roles to deploy it. When deploying MonitorStack, the reconciler creates a ServiceAccount with ClusterRole, which is a higher privilege level than intended (NVD, Red Hat).

The vulnerability enables privilege escalation within Kubernetes clusters. An adversarial account with only namespace-level roles can exploit this flaw to elevate their permissions to cluster-level access. This allows potential attackers to bypass intended security boundaries and gain unauthorized cluster-wide administrative privileges (NVD).

Red Hat has released version 1.3.0 of the Cluster Observability Operator (COO) to address this vulnerability. Users are strongly advised to upgrade to this version to prevent potential exploitation. The fix is available through the official Red Hat security advisory RHSA-2025:21146 (Red Hat Advisory).