CVE-2026-4645 - Vulnerability Details

Duplicate of CVE-2026-32287

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Advanced Cluster Management For Kubernetes Enterprise Linux Migration Toolkit For Applications Openshift Compliance Operator Openshift Container Platform Openshift Distributed Tracing Openshift File Integrity Operator

No data.

References

Link	Providers
https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494
https://github.com/antchfx/xpath/issues/121
https://github.com/golang/vulndb/issues/4526
https://nvd.nist.gov/vuln/detail/CVE-2026-4645
https://www.cve.org/CVERecord?id=CVE-2026-4645

History

Mon, 30 Mar 2026 09:15:00 +0000

Type	Values Removed	Values Added
Title	Github.com/antchfx/xpath: xpath: denial of service via crafted boolean xpath expressions	github.com/antchfx/xpath: xpath: Denial of Service via crafted Boolean XPath expressions
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 30 Mar 2026 08:30:00 +0000

Type	Values Removed	Values Added
References	https://access.redhat.com/security/cve/CVE-2026-4645 https://bugzilla.redhat.com/show_bug.cgi?id=2450214

Mon, 30 Mar 2026 08:15:00 +0000

Type	Values Removed	Values Added
Description	A flaw was found in the `github.com/antchfx/xpath` component. A remote attacker could exploit this vulnerability by submitting crafted Boolean XPath expressions that evaluate to true. This can cause an infinite loop in the `logicalQuery.Select` function, leading to 100% CPU utilization and a Denial of Service (DoS) condition for the affected system.	Duplicate of CVE-2026-32287
CPEs	cpe:/a:redhat:acm:2 cpe:/a:redhat:migration_toolkit_applications:8 cpe:/a:redhat:openshift:4 cpe:/a:redhat:openshift_compliance_operator:1 cpe:/a:redhat:openshift_distributed_tracing:3 cpe:/a:redhat:openshift_file_integrity_operator:1 cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:9
Vendors & Products	Redhat acm Redhat migration Toolkit Applications Redhat openshift

Tue, 24 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 24 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat advanced Cluster Management For Kubernetes Redhat migration Toolkit For Applications Redhat openshift Container Platform
Vendors & Products		Redhat advanced Cluster Management For Kubernetes Redhat migration Toolkit For Applications Redhat openshift Container Platform

Tue, 24 Mar 2026 02:45:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-4645 https://www.cve.org/CVERecord?id=CVE-2026-4645
Metrics	threat_severity `None`	threat_severity `Important`

Mon, 23 Mar 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in the `github.com/antchfx/xpath` component. A remote attacker could exploit this vulnerability by submitting crafted Boolean XPath expressions that evaluate to true. This can cause an infinite loop in the `logicalQuery.Select` function, leading to 100% CPU utilization and a Denial of Service (DoS) condition for the affected system.
Title		Github.com/antchfx/xpath: xpath: denial of service via crafted boolean xpath expressions
First Time appeared		Redhat Redhat acm Redhat enterprise Linux Redhat migration Toolkit Applications Redhat openshift Redhat openshift Compliance Operator Redhat openshift Distributed Tracing Redhat openshift File Integrity Operator
Weaknesses		CWE-835
CPEs		cpe:/a:redhat:acm:2 cpe:/a:redhat:migration_toolkit_applications:8 cpe:/a:redhat:openshift:4 cpe:/a:redhat:openshift_compliance_operator:1 cpe:/a:redhat:openshift_distributed_tracing:3 cpe:/a:redhat:openshift_file_integrity_operator:1 cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat acm Redhat enterprise Linux Redhat migration Toolkit Applications Redhat openshift Redhat openshift Compliance Operator Redhat openshift Distributed Tracing Redhat openshift File Integrity Operator
References		https://access.redhat.com/security/cve/CVE-2026-4645 https://bugzilla.redhat.com/show_bug.cgi?id=2450214 https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494 https://github.com/antchfx/xpath/issues/121 https://github.com/golang/vulndb/issues/4526
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: REJECTED

Assigner: redhat

Published: 2026-03-23T13:35:22.985Z

Updated: 2026-03-30T08:01:39.710Z

Reserved: 2026-03-23T12:21:39.096Z

Link: CVE-2026-4645

Vulnrichment

Updated:

NVD

Status : Rejected

Published: 2026-03-23T14:16:36.063

Modified: 2026-03-30T08:16:18.693

Link: CVE-2026-4645

Redhat

Severity : Important

Publid Date: 2026-03-17T20:58:59Z

Links: CVE-2026-4645 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object