CVE-2025-12805
Published: 26 March 2026
Summary
CVE-2025-12805 is a high-severity Improper Isolation or Compartmentalization (CWE-653) vulnerability in Redhat Openshift Ai. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Services (T1021.007); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-50 (Software-enforced Separation and Policy Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for controlling information flows between namespaces, directly preventing unauthorized network access to Llama Stack services via missing NetworkPolicy restrictions.
Monitors and controls communications at internal boundaries like namespaces, mitigating direct network requests that bypass isolation to other users' Llama Stack instances.
Implements software-enforced separation and policy mechanisms such as NetworkPolicies to restrict cross-namespace access to the llama-stack service endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing NetworkPolicy enables cross-namespace network access to Llama Stack services (T1021.007 Cloud Services); the exposed endpoint can be reached and exploited by a low-privileged account (T1190 Exploit Public-Facing Application).
NVD Description
A flaw was found in Red Hat OpenShift AI (RHOAI) llama-stack-operator. This vulnerability allows unauthorized access to Llama Stack services deployed in other namespaces via direct network requests, because no NetworkPolicy restricts access to the llama-stack service endpoint. As a…
more
result, a user in one namespace can access another user’s Llama Stack instance and potentially view or manipulate sensitive data.
Deeper analysisAI
CVE-2025-12805 is a vulnerability in the Red Hat OpenShift AI (RHOAI) llama-stack-operator that enables unauthorized access to Llama Stack services deployed in other namespaces. The issue stems from the absence of a NetworkPolicy restricting access to the llama-stack service endpoint, allowing direct network requests to bypass namespace isolation. It is associated with CWE-653 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
A low-privileged user (PR:L) within one namespace can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction required. Successful exploitation grants access to another user's Llama Stack instance, enabling the viewing or manipulation of sensitive data (high confidentiality and integrity impact, no availability impact).
Red Hat has addressed this vulnerability through security advisories RHSA-2026:2106 and RHSA-2026:2695, with additional details available on their CVE page (https://access.redhat.com/security/cve/CVE-2025-12805) and Bugzilla entry 2413101 (https://bugzilla.redhat.com/show_bug.cgi?id=2413101). Practitioners should consult these resources for patch deployment and mitigation instructions.
This vulnerability is relevant to AI/ML workloads in multi-tenant OpenShift environments, as Llama Stack services handle potentially sensitive model inference or data processing. No public information on real-world exploitation is available as of the CVE publication date of 2026-03-26.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, llama, llama, llama, llama