Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Release notes

Red Hat Advanced Cluster Security for Kubernetes 4.8

Highlights what is new and what has changed with Red Hat Advanced Cluster Security for Kubernetes releases

Red Hat OpenShift Documentation Team

Abstract

The release notes for Red Hat Advanced Cluster Security for Kubernetes summarize all new features and enhancements, notable technical changes, deprecated and removed features, bug fixes, and any known bugs upon general availability.

Red Hat Advanced Cluster Security for Kubernetes (RHACS) is an enterprise-ready, Kubernetes-native container security solution that protects your vital applications across the build, deploy, and runtime stages of the application lifecycle. Red Hat Advanced Cluster Security for Kubernetes deploys into your infrastructure and integrates with your DevOps tools and workflows. This integration provides better security and compliance, enabling DevOps and InfoSec teams to operationalize security.

Expand
Table 1.1. Release dates
RHACS versionReleased on

4.8.0

9 July 2025

4.8.1

28 July 2025

4.8.2

18 August 2025

4.8.3

9 September 2025

4.8.4

15 September 2025

4.8.5

3 November 2025

4.8.6

26 November 2025

4.8.7

18 December 2025

4.8.8

2 February 2026

4.8.9

16 March 2026

4.8.10

8 April 2026

4.8.11

28 April 2026

1.1. About release 4.8.0
Copy link

RHACS 4.8 includes the following new features, improvements, and updates:

Platform
Compliance
Policy
Vulnerability Management
External integrations
Network

1.2. New features
Copy link

This release adds improvements related to the following components and concepts:

1.2.1. Central DB uses PostgreSQL 15
Copy link

The Central DB component now uses PostgreSQL 15, and RHACS 4.8 supports this version for external databases. A new installation with an internal database now uses this version by default. When upgrading an existing cluster to RHACS 4.8, Central DB performs an upgrade of the data it has collected.

Important

When preparing the upgrade to RHACS 4.8, follow these suggestions:

  • Back up the database before upgrading to RHACS 4.8.
  • If you are not upgrading by using the Operator, check the disk space available for the database by viewing the rox_central_postgres_available_size_bytes metric. For the purposes of the upgrade, the value should be double the amount of the already-consumed disk space, as shown in the rox_central_postgres_total_size_bytes metric. If the value is not correct, extend the database PVC.
  • Do not interrupt the upgrade procedure. If you interrupt the upgrade, you might need to intervene manually to continue. Depending on the amount of data, the upgrade can take extra time to finish.

For more information, see RHACS Support Matrix.

1.2.2. Quay registry keyless authentication
Copy link

You can now use keyless authentication to access the Quay registry when RHACS has delegated scanning enabled for the Secured cluster. For keyless authentication, RHACS uses a Quay access token that is stored in a secret managed by the External Secrets Operator (ESO). The ESO on the Secured cluster manages the rotation of the credential in secret, and RHACS APIs can use this credential to authenticate to the Quay Image registry during image scans and check-ins in a particular namespace.

For more information, see Enabling Quay registry keyless authentication by using an external secret.

With this release, OpenShift Container Platform Infrastructure Compliance is now generally available. Use it to:

  • Easily assess compliance across your entire OpenShift Container Platform Cluster Fleet.
  • Ensure your OpenShift Container Platform infrastructure consistently adheres to your organizational security policies.

Additionally, this release also includes enhancement in Compliance Reporting. RHACS now generates compliance reports even when some clusters encounter failures during a scheduled scan. It prevents data gaps and provides continuous visibility, ensuring that you always receive a report reflecting the compliance status of all successfully scanned clusters.

With this release, RHACS now supports ARM architecture in Secured clusters. This update enables you to use ARM’s efficient power consumption and high performance-per-watt benefits, making it ideal for resource-intensive tasks and cost-effective scaling while enhancing flexibility and performance.

For more details, see RHACS Support Matrix

1.2.5. Build-time network policy tool enhancements
Copy link

This release introduces two key enhancements to the Build-time network policy tools roxctl netpol:

  • Expanded network policy visualization - The roxctl netpol connectivity map command now supports visualizing Admin Network Policies (ANP) and Baseline Admin Network Policies (BANP). It gives you a more comprehensive view of your network’s security posture.
  • Enhanced connectivity explainability - A new roxctl explainability feature helps you pinpoint the exact resources, including network policies, ANP, and BANP, that allow or deny connectivity between any two workloads. You can use the report to verify expected connectivity outcomes and guide you in modifying resources to achieve your desired network configuration.

For more information, see Build-time network policy tools.

1.2.6. View and customize platform components
Copy link

RHACS now allows you to view and modify the definition of platform components using the system menu in the user interface or through the API. Red Hat recommends updating the platform components definition if you install OpenShift Container Platform Operators into non-default namespaces or if you want RHACS to consider any third-party software as a "Platform component". You can focus on actionable data in the User Workloads tabs by customizing this definition.

For more information, see Viewing and customizing platform components.

1.2.7. Policy as code is now generally available
Copy link

Policy as code, which enables you to manage RHACS policies as Kubernetes custom resources, is now generally available. This feature supports GitOps workflows with tools like OpenShift Container Platform GitOps (Argo CD).

Key enhancements include:

  • Clusters and notifiers are addressed by name instead of by UUID.
  • The system provides additional error handling.

For more information, see Managing policies as code.

1.2.8. Support for keyless signing verification
Copy link

RHACS 4.8 includes enhanced Sigstore integration with support for validating images signed using short-lived credentials. This enhancement uses an integration with Rekor transparency log, which records the public key or certificate used to sign the image. RHACS retrieves this record to validate the signature.

Additionally, Fulcio integrates with OpenID Connect (OIDC) Identity Providers to exchange a user’s identity token for a short-lived credential to sign images, which facilitates a keyless signing workflow.

RHACS now allows you to include multiple OpenShift Container Platform projects or Kubernetes namespaces in a single Google Artifact Registry integration. For more details, see Integrating with image registries.

The external IP visibility feature is now generally available. This enhancement provides crucial insight into your cluster’s external communications. You can now visualize the exact external IP addresses your deployments communicate with. This improves your ability to understand external connections, identify potential threats, and validate network policies.

By default, this feature is disabled. However, when enabled, you see external IPs in the Network Graph. Additionally, Unauthorized Network Flow violations automatically include detailed external IP information, which streamlines your investigation process.

For more information, see Visualizing external entities.

Starting with RHACS 4.8, the system now reports both the CVE ID (Common Vulnerabilities and Exposures) and the RHSA (Red Hat Security Advisory) when available. RHSAs might include one or more security fixes, and might also contain bug or enhancement updates. In previous versions up to RHACS 4.7, RHACS replaced the CVE ID with the corresponding RHSA ID once Red Hat released a fix for the associated vulnerability.

1.3. Notable technical changes
Copy link

This release contains the following changes:

  • Starting with RHACS 4.8, Scanner V4 is the default scanner for reporting vulnerabilities in User Workloads, Platforms, and Nodes for all new installations of RHACS Central and Secured Clusters.
  • RHACS 4.8 preserves the current scanner configuration for existing deployments that you upgrade. If you are using the StackRox Scanner, it remains in use after the upgrade. For switching to Scanner V4, see Enabling Scanner V4.

  • Scanner V4 runs in Central and you do not have to deploy it to secured clusters unless you have specific requirements, for example:

    • Accessing image registries that are not reachable from Central.
    • Using the OpenShift Container Platform image registry.
    • Running on RHACS Cloud Service with firewall restrictions that limit registry access to internal traffic.

    • Using registry mirroring.

      For more details, see Accessing delegated image scanning.

  • In roxctl CLI, certificate validation failures are now marked as errors.
  • RHACS 4.8 includes the updated roxctl help command output making it more readable. The output is now more consistent with other command-line tools.

  • Red Hat has moved the SecurityPolicy Custom Resource Definition (CRD) to the template directory within the Helm chart. This change simplifies CRD maintenance if you are using Helm, as it now automatically upgrades.

    Important

    If you are using Helm to manage your RHACS installation, you must apply the following changes to the SecurityPolicy CRD before upgrading to avoid upgrade failures: 

    $ kubectl annotate crd/securitypolicies.config.stackrox.io meta.helm.sh/release-name=stackrox-central-services
    1 
    
$ kubectl annotate crd/securitypolicies.config.stackrox.io meta.helm.sh/release-namespace=stackrox
    2 
    
$ kubectl label crd/securitypolicies.config.stackrox.io app.kubernetes.io/managed-by=Helm
    1
    If you used a different name during your initial installation, update the release-name annotation to match that name. The default value is stackrox-central-services.
    2
    If you used a different namespace during your initial installation, update the release-namespace annotation to match that namespace. The default value is stackrox.
  • Sensor now ignores entries that contain invalid UTF-8 characters when reading Docker configuration pull secrets from Kubernetes.
  • The S3 integration type no longer supports Google Cloud Storage (GCS) buckets. Red Hat announced this change in RHACS 4.5.0. If you use GCS buckets for backups, you must now use the dedicated GCS integration.
  • Scoping Google image integrations by project is now optional.

  • The default output of the roxctl image scan command now includes three new fields when you use the --output option: CVSS, Advisory, and Advisory Link. The exact names of these fields depend on the specific output format you select.

    • CVSS represents the CVSS score of the vulnerability.
    • Advisory and Advisory Link represent the advisory related to the vulnerability, if RHACS tracks it. For example, a CVE’s associated Red Hat Security Advisory (RHSA), if the CVE relates to a Red Hat product.

1.4. Deprecated and removed features
Copy link

Some features available in earlier releases have been deprecated or removed.

Deprecated functionality is still included in RHACS and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. For the most recent list of major functionality deprecated and removed, see the following table. Additional removed or deprecated functionality is available after the table.

In the table, features are marked with the following statuses:

  • GA: General Availability
  • TP: Technology Preview
  • DEP: Deprecated
  • REM: Removed
  • NA: Not applicable
Expand
Table 1.2. Deprecated and removed features tracker
FeatureRHACS 4.6RHACS 4.7RHACS 4.8

API token authentication for Red Hat OpenShift Cluster Manager[1]

DEP

DEP

DEP

Compliance dashboard

NA

NA

DEP

definitions.stackrox.io

DEP

DEP

DEP

Google Container Registry integration[2]

DEP

DEP

DEP

Kernel support packages and driver download functionality [3]

DEP

DEP

DEP

Reporting of Istio vulnerabilities

DEP

DEP

DEP

StackRox Scanner

DEP

DEP

DEP

S3 backup on GCS buckets

DEP

DEP

REM

/v1/clustercves/suppress APIs[5,6]

DEP

DEP

DEP

/v1/clustercves/unsuppress APIs[5,6]

DEP

DEP

DEP

/v1/nodecves/suppress APIs[5,6]

DEP

DEP

DEP

/v1/nodecves/unsuppress APIs[5,6]

DEP

DEP

DEP

/v1/summary/counts endpoint

DEP

DEP

DEP

Vulnerability Management (1.0) menu item[7]

DEP

DEP

DEP

Vulnerability Report Creator permission

DEP

DEP

DEP

  1. API token authentication is deprecated. The corresponding cloud source integration now uses service accounts for authentication.

  2. The Google Container Registry integration is deprecated in response to the deprecation of Container Registry. You can use the Artifact Registry as a registry replacement and Scanner V4 as a scanner replacement.

    For more information, see Transition from Container Registry (Google Cloud documentation).

  3. Kernel support packages and driver download functionality are deprecated.
  4. The RHACS-collector-slim* image is deprecated and has been removed in RHACS 4.7.0. RHACS-collector* image used to contain kernel modules and eBPF probes, but RHACS no longer needs those items. The RHACS-collector* and the RHACS-collector-slim* images are now functionally the same.
  5. A feature flag controls this API object, and you can enable or disable this API object by using the ROX_VULN_MGMT_LEGACY_SNOOZE environment variable.

  6. The format for specifying duration in JSON requests to v1/nodecves/suppress, v1/clustercves/suppress, and v1/imagecves/suppress has been changed to the ProtoJSON format. Only a numeric value representing seconds with optional fractional seconds for nanosecond precision and followed by the s suffix is supported.

    For example, 0.300s, -5400s, or 9900s. The previously valid time units of ns, us, µs, ms, m, and h are no longer supported.

  7. The Vulnerability ManagementDashboard view is deprecated and is planned to be removed in a future release. You can use the User workload vulnerabilities, Exception management, Platform vulnerabilities, and Node CVEs views as alternatives.

1.5. Bug fixes in version 4.8.0
Copy link

Release date: 9 July 2025

  • Previously, if messages contained non-UTF-8 characters, the Secured Cluster sensor would remain uninitialized and offline. It prevented proper monitoring of affected clusters. With this release, the Sensor now handles non-UTF-8 characters in user-provided data. As a result, the Secured Cluster sensor no longer fails to initialize due to these characters and correctly monitors all clusters.
  • Previously, warning messages in sensor pod logs incorrectly indicated that images were Not Pullable because the system attempted to determine pullability even when the image ID was empty. As a consequence, images were skipped from workload CVE scans. RHACS 4.8 correctly scans the images for vulnerabilities.
  • Fixed an issue where signing images multiple times with different keys led to failed image signature verification.
  • Previously, sometimes RHACS did not correctly initialize the Scanner V4 integration with default indexer and matcher endpoints, which caused scanner pods to fail and prevented images from being scanned. With this update, RHACS correctly initializes the Scanner V4 integration, scans the images, and creates vulnerability reports as expected.
  • Previously, creating a security policy with a cluster scope using the cluster’s name would cause the UI to crash upon viewing the policy. It was due to the system’s inability to resolve the cluster name to its corresponding ID correctly. This update enables proper resolution of cluster names to IDs in security policies. As a result, you can now view policies with cluster scope in the UI without encountering errors.
  • Previously, the Scanner V4 failed to identify some critical CVEs in Java workloads because an unidentified jar error caused the scanner to skip valid JAR files during the scanning process. As a consequence, RHACS did not detect these vulnerabilities in the scan results. This update eliminates the unidentified jar error, enabling the scanner to process JAR files properly. As a result, the Scanner V4 now accurately identifies critical CVEs in Java workloads, providing comprehensive vulnerability scanning.
  • Previously, the Cancel button on the delegated scanning page provided no visual feedback if you made no changes, leading to confusion about its functionality. This lack of feedback occurred because the button only reset the form for unpersisted changes. This update introduces an Edit button to initiate editing, making the Save and Cancel buttons visible and enabled only when you make changes.

RHACS 4.9 streamlines the admission controller configuration by consolidating the existing listen and enforce settings into a single Enforcement option. You can select the following settings for the Enforcement option for create, update, and scale events:

  • Yes to enable enforcement for events.
  • No to disable enforcement for events.

1.7. About release 4.8.1
Copy link

Release date: 28 July 2025

This release of RHACS 4.8 provides the following bug fixes:

  • In RHACS 4.8, Central fails to create a backup because it uses pg_dump from PostgreSQL version 13 with the PostgreSQL 15 database. With this release, the pg_dump version in Central is updated to resolve the backup failures.
  • Before this update, the network flow table migration during the 4.8 upgrade took an extended period of time, often timing out after 2 hours. This release implements batch network flow updates to reduce the migration time.
  • Before this update, Sensor’s failure to call stream.Recv() caused gRPC flow control to block image reprocessing every 4 hours. This update resolves the issue by including a timeout for sending messages to Sensors in the reprocessing loop, allowing image reprocessing to resume as expected.
  • Before this update, removing a network entity from the network tree failed to properly remove its parent node when it had no children or value. This led to a memory leak, causing increased memory usage and potential application crashes, especially noticeable when external IPs were enabled. This release resolves the memory leak by ensuring that RHACS removes parent nodes along with their child nodes, thereby optimizing network tree memory usage, reducing potential crashes, and improving system performance, particularly with external IPs enabled.
  • Before this update, excessive logging of telemetry collection status resulted in an abundance of log entries. This update configures telemetry collection to not emit repeated logs continuously, resolving the issue and significantly reducing log volume.
  • Before this update, Central sometimes stored external IPs in the database even after users deleted their corresponding deployments. This resulted in inaccessible and stale data, leading to a loss of storage and memory and potential memory exhaustion. With this release, Central no longer stores external IP information for deleted deployments, resolving these issues.
  • Before this update, the upgrade to Golang gRPC 1.67 and later caused problems with gRPC connections that affected multiple users. This issue prevented gRPC connections and blocked communications between Central and Sensor. With this release, the GRPC_ENFORCE_ALPN_ENABLED flag has been added in RHACS. The default value disables the Application-Layer Protocol Negotiation (ALPN) enforcement, and therefore allows the connection between Sensor and Central as well as the communication between the components.

1.8. About release 4.8.2
Copy link

Release date: 18 August 2025

This release of RHACS 4.8 provides the following bug fixes:

  • The initialization of image rankers is moved from the critical startup path. Additionally, the query pattern is improved to stop retrieving excessive data. These changes improve startup time for Central and the RHACS portal and reduce memory consumption.

This release also addresses the following security vulnerabilities:

1.9. About release 4.8.3
Copy link

Release date: 9 September 2025

Known issues

Central fails to start when using RHACS with Federal Information Processing Standards (FIPS)-enabled clusters. Do not upgrade Central to release 4.8.3 if you have FIPS-enabled clusters. You must upgrade to release 4.8.4 or later.

Other changes

Starting with RHACS 4.8.3, you might notice changes to container image metadata, such as container labels or Software Bill of Materials (SBOM) contents and location, as the product images are now built and released by using different technologies. These changes do not affect product functionality, but they might impact your third-party integrations.

This release of RHACS 4.8 provides the following bug fixes:

  • Before this update, you might have experienced a consistently growing Central database that caused constant resizing of the persistent volume claim (PVC) or service interruptions from a no space left on device error. With this release, if the hashes table is the source of the growth, you can turn off the feature by setting ROX_HASH_FLUSH_INTERVAL=0.
  • Before this update, the response times were slow because the serviceaccounts endpoint improperly handled pagination parameters and returned all service accounts. With this release, you can now use the serviceaccounts endpoint, which considers pagination limits; and therefore returns only the specified number of service accounts.

1.10. About release 4.8.4
Copy link

Release date: 15 September 2025

This release provides the following bug fix:

  • In this update, users previously experienced issues starting Central in RHACS 4.8.3 on FIPS-enabled clusters due to non-FIPS compliant roxctl binaries. With this release, the roxctl binaries in the RHACS main image are no longer built with strictfipsruntime GOTAGS, fixing the startup error. As a result, Central now operates in FIPS-enabled OpenShift Container Platform clusters.

This release also addresses the following security vulnerabilities:

  • Vulnerability in the form-data JavaScript library (CVE-2025-7783)

1.11. About release 4.8.5
Copy link

Release date: 3 November 2025

This release provides the following bug fixes:

  • Before this update, "acquiring scan semaphores" error logs were excessive in scenarios which were recoverable and logs were not indicative of an actual error. These messages have been reduced from ERROR to DEBUG level.
  • Before this update, Central processed large batches of process indicators in a single database transaction while holding a lock. With this update, the process indicator processing logic is optimized, resulting in reduced strain on Central and Central DB during high-volume indicator processing.
  • Before this update, the installed version of the Compliance Operator was not correctly reported through telemetry. With this update, the mechanism that reports the Compliance Operator version through telemetry is fixed and the Compliance Operator version is now correctly reported through telemetry.

1.12. About release 4.8.6
Copy link

Release date: 26 November 2025

This release provides the following bug fixes:

  • Fixed an issue where automatically re-scanned images failed to suppress deferred CVEs in the RHACS portal, causing the CVEs to reappear in results and reports.
  • Fixed an issue that caused Central to panic and terminate Sensor connections when a Sensor sent an event type that was unknown to Central. This issue occurred specifically when Sensor version 4.9 ran with Central version 4.7 or 4.8 on an OpenShift Virtualization cluster. The fix ensures Central operates normally under these conditions and also improves future compatibility between Central version 4.9 and Sensor.
  • Fixed an issue that could cause database connection exhaustion when many sensors try to reconnect at the same time.

This release also addresses the following security vulnerabilities:

1.13. About release 4.8.7
Copy link

Release date: 18 December 2025

This release provides the following bug fixes:

  • Fixed several PDF export issues, including fixing infinite spinners on export failure, enabling the jsPDF-AutoTable plugin, and correcting table column mapping for accurate data display.
  • Fixed inconsistent casing validation for policy categories that allowed the creation of duplicate categories.

This release addresses the following security vulnerability:

1.14. About release 4.8.8
Copy link

Release date: 2 February 2026

This release provides the following bug fix:

  • When restoring Central custom resources (CRs) from a backup, automatic certificate rotation is not enabled because central-tls is not owned by the Operator. With the fix, Central CRs restored from backup will have automatic certificate rotation enabled.

This release addresses the following security vulnerabilities:

  • Interpretation conflict vulnerability in node-forge allows unauthenticated attackers to bypass downstream cryptographic verifications and security decisions (CVE-2025-12816)
  • Flaw in qs allows a remote attacker to exploit an improper input validation vulnerability (CVE-2025-15284)
  • Uncontrolled recursion vulnerability in node-forge enables attackers to trigger unbounded recursive parsing with ASN.1 structures and cause denial of service (DoS) (CVE-2025-66031)
  • Vulnerability in jsPDF allows local file inclusion and path traversal (CVE-2025-68428)
  • GnuGP memory corruption vulnerability can allow information disclosure and potential arbitrary code execution (CVE-2025-68973)
  • React Router is vulnerable to XSS by open redirects or when creating redirect paths from untrusted content in framework mode, data mode, or the unstable RSC modes (CVE-2026-22029)
  • Flaw in Sigstore Timestamp Authority allows DoS by using excessive memory allocation when processing a specially crafted Object Identifier or Content-Type header (CVE-2025-66564)
  • Flaw in Fulcio allows DoS due to excessive memory allocation when processing a malicious OIDC identity token containing numerous period characters (CVE-2025-66506)

1.15. About release 4.8.9
Copy link

Release date: 16 March 2026

This release provides the following bug fixes:

  • Improved Sensor logs for TLS issues: Before this update, when Sensor failed to connect to Central due to TLS issues, the logs provided inaccurate messages about cluster IDs. With this release, Red Hat improved the Sensor logs for TLS issues by removing misleading information about cluster IDs so that you can better diagnose the cause of connection failures.
  • Fixed an issue where an invalid machine-to-machine configuration could cause database connections to get stuck.

This release addresses the following security vulnerabilities:

  • urllib3: Unbounded decompression chain leads to resource exhaustion (CVE-2025-66418)
  • urllib3: Streaming API improperly handles highly compressed data (CVE-2025-66471)
  • urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API) (CVE-2026-21441)
  • lodash: Prototype pollution in _.unset and _.omit functions (CVE-2025-13465)
  • golang: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728)
  • jsPDF: Arbitrary code execution via unsanitized input in Acroform module (CVE-2026-24737)
  • jsPDF: Cross-user Data Leakage via race condition in addJS method (CVE-2026-24040)
  • golang: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)

1.16. About release 4.8.10
Copy link

Release date: 8 April 2026

This release addresses the following security vulnerabilities:

  • jsPDF:

    • Denial of service via malicious GIF dimensions (CVE-2026-25535)
    • PDF object injection via unsanitized input in addJS method (CVE-2026-25755)
    • PDF injection in AcroForm module allows arbitrary JavaScript execution (CVE-2026-25940)
    • Cross-site scripting via unsanitized output options (CVE-2026-31938)
    • Arbitrary code execution via unsanitized input in createAnnotation method (CVE-2026-31898)

  • fast-xml-parser:

    • Denial of service via unlimited XML entity expansion (CVE-2026-26278)
    • Cross-site scripting (XSS) due to improper <DOCTYPE> entity handling (CVE-2026-25896)
    • Stack overflow leads to denial of service (CVE-2026-27942)
    • fast-xml-parser has RangeError DoS numeric entities bug (CVE-2026-25128)
    • Denial of service via XML entity expansion bypass (CVE-2026-33036)
  • SVGO: Denial of service via XML entity expansion (CVE-2026-29074)

  • gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186)

    Note

    This CVE is not addressed in Scanner V2 images in this release.

1.17. About release 4.8.11
Copy link

Release date: 28 April 2026

This release provides the following bug fixes:

  • Before this update, the documentation for the central.exposure.route.reencrypt.tls certificate and key fields was unclear. When users configured these fields, the Operator failed with an error if only one field was specified. This release updates the documentation to clarify that you must specify both the certificate and key together, or omit both.
  • Updated RPMs used in build processes to address security vulnerabilities and ensure up-to-date dependencies.

This release also addresses the following security vulnerabilities:

  • Immutable.js: Improperly controlled modification of object prototype attributes (prototype pollution) in immutable (CVE-2026-29063)
  • JSON Object Signing and Encryption (JOSE): Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)
  • github.com/jackc/pgx: Memory-safety vulnerabilities (CVE-2026-33815), (CVE-2026-33816)
  • Kubelet, CRI-O, kube-apiserver: Denial of service via SPDY streaming code (CVE-2026-35469)
  • Security vulnerability in Docker components (CVE-2025-15558)
  • Security vulnerability in OpenTelemetry components (CVE-2026-24051)

  • gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186)

    Note

    This release addresses this vulnerability for Scanner V2.

1.18. Image versions
Copy link

You can manually pull, retag, and push Red Hat Advanced Cluster Security for Kubernetes (RHACS) images to your registry. The current version includes the following images:

Expand
Table 1.3. Red Hat Advanced Cluster Security for Kubernetes images
ImageDescriptionCurrent version

Main

Includes Central, Sensor, Admission controller, and Compliance components. Also includes roxctl for use in continuous integration (CI) systems.

registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.8.11

Central DB

PostgreSQL instance that provides the database storage for Central.

registry.redhat.io/advanced-cluster-security/rhacs-central-db-rhel8:4.8.11

Scanner

Scans images and nodes.

  1. registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:4.8.11
  2. registry.redhat.io/advanced-cluster-security/rhacs-scanner-slim-rhel8:4.8.11

Scanner DB

Stores image scan results and vulnerability definitions.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:4.8.11

Scanner V4

Scans images.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-v4-rhel8:4.8.11

Scanner V4 DB

Stores image scan results and vulnerability definitions for Scanner V4.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.8.11

Collector

Collects runtime activity in Kubernetes or OpenShift Container Platform clusters.

  1. registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8:4.8.11

Legal Notice
Copy link

Copyright © Red Hat.
Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.
The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Legal Notice

Theme

© 2026 Red HatBack to top