Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 1. Red Hat Advanced Cluster Security for Kubernetes 4.9

Red Hat Advanced Cluster Security for Kubernetes (RHACS) is an enterprise-ready, Kubernetes-native container security solution that protects your vital applications across the build, deploy, and runtime stages of the application lifecycle. Red Hat Advanced Cluster Security for Kubernetes deploys into your infrastructure and integrates with your DevOps tools and workflows. This integration provides better security and compliance, enabling DevOps and InfoSec teams to operationalize security.

Expand
Table 1.1. Release dates
RHACS versionReleased on

4.9.0

30 October 2025

4.9.1

24 November 2025

4.9.2

16 December 2025

4.9.3

17 February 2026

4.9.4

16 March 2026

4.9.5

8 April 2026

4.9.6

6 May 2026

4.9.7

2 June 2026

1.1. About release 4.9.0
Copy link

RHACS 4.9 includes the following new features, improvements, and updates:

Platform
Compliance
Policy
Vulnerability Management
External integrations
Security
Monitoring
Performance
Documentation

1.2. New features
Copy link

This release adds improvements related to the following components and concepts:

This release adds support to RHACS for vulnerability management of virtual machine (VM) workloads at runtime on Red Hat OpenShift Virtualization (RHOCPV). The feature requires you to run a virtual machine agent to perform continuous package scanning from inside of the virtual machine. Both Sensor and Central run RHACS version 4.9.0 and later.

Important

This is a Developer Preview feature introduced in RHACS 4.9 that is currently under active development. It is released with the intent of testing, feedback, and early evaluation only and is not supported for production environments.

For more information, see Vulnerability management for virtual machines with Red Hat Advanced Cluster Security for Kubernetes.

RHACS 4.9 provides new and simplified configuration options available during secured cluster installation for all installation methods. You can use these options to perform the following actions:

  • Configure the failure policy on its validating webhooks
  • Configure enforcement of the security policies that have enforcement enabled

In addition, several older configuration options have been deprecated for simplicity and correctness. For more information about deprecated items, see Deprecated and removed features.

You can view the new settings in the RHACS portal in the Platform Configuration Clusters page for each cluster. You can configure these settings by using the following methods:

  • For clusters installed by using the Operator, configure these settings in the SecuredCluster CR:

    • spec.admissionControl.failurePolicy: Determines the action that the cluster should take when an error or timeout happens with the admission controller. If the timeout seconds have been reached and the failure policy is Ignore, the API server "fails open" or accepts the create or update request. If the timeout seconds have been reached and the failure policy is set to Fail, the API server rejects the create or update request.
    • spec.admissionControl.enforcement: Determines if the admission controller has been configured to enforce policies that have enforcement enabled. This field defaults to Enabled for new installations.

  • For clusters installed by using Helm, configure these settings in the Helm values.yaml file:

    • admissionControl.failurePolicy: Determines the action that the cluster should take when an error or timeout happens with the admission controller. If the timeout seconds have been reached and the failure policy is Ignore, the API server "fails open" or accepts the create or update request. If the timeout seconds have been reached and the failure policy is Fail, the API server rejects the create or update request.
    • admissionControl.enforce: Determines if the admission controller has been configured to enforce policies that have enforcement enabled. This field defaults to true for new installations.

For more information, see the following documentation:

A new default policy, "Red Hat images must be signed by a Red Hat release key", is available with this release. This policy ensures that Red Hat images are signed by the Red Hat Release Key 3 product signing key. In addition to ensuring supply chain provenance, this default policy serves as an example of using the "Image Signature" field and combining it with other criteria.

For more information, see High severity security policies.

This process execution policy improvement automates the process of locking baselines, removing the need to complete this process manually for each deployment. The change is designed to significantly reduce the time and effort to complete this process and to enable security teams to focus on more critical work items.

Furthermore, this change allows for a more proactive security approach. Instead of waiting for a deployment to exist before setting up an alert, you can define a policy for a specific scope, such as a namespace. Any new deployment in that scope will automatically raise alerts, ensuring consistent security across all deployments.

For more information, see Configuring auto-lock for process baselines.

1.2.5. Vulnerability reporting enhancements
Copy link

With this release, you can directly export CSV files from the vulnerability management pages, potentially enhancing your vulnerability management workflows. This feature also empowers you to use granular filters and create on-demand, view-based reports and provides flexibility in analyzing data and addressing specific security concerns.

Additionally, you can generate view-based reports directly from both individual image and deployment detail pages.

For more information about creating and downloading vulnerability reports, see Vulnerability reporting.

With this release, using RHACS to generate a software bill of materials (SBOM) from scanned container images is generally available (GA). SBOM generation includes images scanned with the RHACS delegated scanning feature. These SBOMs provide a detailed overview of all software components, dependencies, and libraries within an application. The SBOMs created by RHACS are of the "Analyzed" type and conform to the SPDX 2.3 specification.

For more information, see Generating SBOMs from scanned images.

RHACS integration with the ServiceNow Container Vulnerability Response Application is now GA in the ServiceNow Marketplace. RHACS integration with ServiceNow populates rich container image vulnerability data from RHACS in the ServiceNow Container Vulnerability Response Module. It enables RHACS users to create custom vulnerability management workflows for efficient tracking and remediation of vulnerabilities.

With this update, RHACS supports transparent machine-to-machine (M2M) token exchange with external JSON web token (JWT) token issuers. RHACS performs a token exchange between third-party identity tokens and RHACS. It uses role mapping to allow access to the RHACS API. This improvement enables third-party clients that do not support the full M2M token exchange flow to access the RHACS API endpoint. For example, a Prometheus server does not support M2 token exchange, but can use Kubernetes service account tokens to access the API endpoint.

For more information, see Configuring API tokens.

With this release, you can declaratively configure M2M OIDC authentication. To configure M2M authentication resources, you first create YAML files that contain configuration information. These files are used to create a config map or secret. During installation of the RHACS Central resource, the config map or secret is added to Central by using a mount point.

For an example of setting up declarative configuration for short-lived OIDC token usage, see Declarative configuration short-lived token example.

Previously, in release 4.7, RHACS automatically rotated only the 1-year service certificates. This change enables automatic rotation for the 5-year CA certificates also. The change is designed to simplify the management of large cluster installations, where the manual upgrading of certificates can require significant effort.

Note

Automatic certificate rotation remains partially supported for Helm-installed secured clusters. These clusters can connect to Central with the rotated CA but their certificates remain signed by the older CA.

For more information, see Reissuing internal certificates.

With this release, the expiration time for cluster registration secrets (CRSes) is changed from a default value of 1 year to a default value of 1 hour. Additionally, you can configure the time period by using the --valid-until or --valid-for flags with the roxctl central crs command.

For more information, see roxctl central crs command.

With the 4.9 release, RHACS SMTP notifiers support configuring the EHLO/HELO hostname. This capability allows for better compatibility with strict mail relay servers in secured environments.

For more information, see Integrating with email.

1.2.13. RHACS supports detailed security metrics
Copy link

With the 4.9 release, RHACS Central exposes detailed security metrics on its /metrics API endpoint, allowing users to scrape this data by using an existing Prometheus infrastructure. With this feature, you can leverage deep, customizable security observability for proactive alerting and trend analysis.

For more information, see Using custom Prometheus metrics.

RHACS has improved Central’s handling of offline vulnerability bundles, resulting in less pressure on Central DB and Central disk, especially in larger environments.

With this release, Sensor uses significantly less memory than earlier releases in clusters with large numbers of processes that listen for connections. In extreme-scale environments, for example, clusters with greater than 10 million open ports, Sensor’s memory footprint related to open connections, endpoints, and process tracking is reduced by roughly 50%. This improvement helps prevent out-of-memory (OOM) kills. For moderate workloads, such as a few thousand open ports, memory savings typically range between 10 to 15%, depending on workload characteristics.

This optimization was achieved by changing how the Sensor tracks and reports updates to Central. Previously, Sensor retained full details of all open connections, endpoints, and processes while they remained active. Sensor also consumed memory required to store all of these details. With this change, Sensor stores only a fingerprint, or hash, of each object, greatly reducing memory usage.

1.3. Notable technical changes
Copy link

This release contains the following changes:

If you are updating from an RHACS release earlier than 4.6.10, 4.7.7, or 4.8.3, you might notice changes to container image metadata, such as container labels or SBOM contents and location. This change is because product images are now built and released by using different technologies. These changes do not affect product functionality, but they might impact your third-party integrations.

The policy editor in the RHACS portal was enhanced and includes rearranged and renamed policy criteria to better reflect their intended use in policy lifecycle stages. The policy lifecycle selection process was simplified and the introductory text was updated to assist you in authoring policies. The following changes were included:

  • Policy criteria categories were grouped under top-level headings that reflect how the criteria trigger policy violations.
  • Criteria related to image scan results were moved out of the Image contents category into a new category, Image scanning.
  • A new category, Baseline deviation, was created and the Unexpected network flow and Unexpected process execution criteria were moved into it.
  • Runtime audit log policy criteria were split into Resource operations and Resource attributes.

For more information, see Creating and modifying security policies.

With this release, accessing the following items requires read permissions for the cluster resource:

  • Compliance menus:

    • OpenShift Coverage
    • OpenShift Schedules

  • API endpoints:

    • /v2/compliance/*

For more information, see OpenShift infrastructure compliance.

Policy documentation was restructured, simplified, and enhanced. Comprehensive information was added to provide an overview of policy evaluation, structure, and enforcement. Reference information was split out into a separate section. Additionally, documentation errors were corrected.

For more information, see the following documentation:

1.4. Deprecated and removed features
Copy link

Some features available in earlier releases have been deprecated or removed.

Deprecated functionality is still included in RHACS and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. For the most recent list of major functionality deprecated and removed, see the following table. Additional information about removed or deprecated functionality is available after the table.

In the table, features are marked with the following statuses:

  • GA: General Availability
  • TP: Technology Preview
  • DEP: Deprecated
  • REM: Removed
  • NA: Not applicable
Expand
Table 1.2. Deprecated and removed features tracker
FeatureRHACS 4.7RHACS 4.8RHACS 4.9

Admission controller configuration parameters:

  • admissionControl.contactImageScanners
  • admissionControl.dynamic.enforceOnCreates
  • admissionControl.dynamic.enforceOnUpdates
  • user configuration ability of admissionControl.dynamic.scanInline
  • user configuration ability of admissionControl.dynamic.timeout
  • admissionControl.listenOnCreates
  • admissionControl.listenOnEvents
  • admissionControl.listenOnUpdates
  • admissionControl.timeoutSeconds

GA

GA

DEP

API token authentication for Red Hat OpenShift Cluster Manager

DEP

DEP

DEP

Collections hierarchical implementation

GA

GA

DEP

Compliance dashboard

NA

DEP

DEP

definitions.stackrox.io

DEP

DEP

DEP

Export Download Evidence as CSV button

GA

GA

REM

Google Container Registry integration

DEP

DEP

DEP

GraphQL endpoints

GA

GA

DEP

GraphQL image scan components and image scan components vulns queries

GA

GA

REM

Kernel support packages and driver download functionality

DEP

DEP

DEP

Manifest installation method, also called the roxctl CLI installation method

GA

GA

DEP

Reporting of Istio vulnerabilities

DEP

DEP

DEP

roxctl admission controller parameters:

  • --admission-controller-enforce-on-creates
  • --admission-controller-enforce-on-updates
  • --admission-controller-listen-on-creates
  • --admission-controller-listen-on-updates
  • --admission-controller-listen-on-events
  • --admission-controller-timeout

GA

GA

DEP

StackRox Scanner

DEP

DEP

DEP

/v1/clustercves/suppress APIs

DEP

DEP

DEP

/v1/clustercves/unsuppress APIs

DEP

DEP

DEP

/v1/nodecves/suppress APIs

DEP

DEP

DEP

/v1/nodecves/unsuppress APIs

DEP

DEP

DEP

/v1/summary/counts endpoint

DEP

DEP

REM

Vulnerability Management (1.0) menu item

DEP

DEP

DEP

Vulnerability Report Creator permission

DEP

DEP

DEP

API token authentication for Red Hat OpenShift Cluster Manager
API token authentication is deprecated. The corresponding cloud source integration uses service accounts for authentication.
Collections hierarchical implementation
The current hierarchical implementation for defining Collections is deprecated and is anticipated to be replaced by a more comprehensive search-based definition in a future release.
Export Download Evidence as CSV button
The Export Download Evidence as CSV functionality was removed from the image, node, and platform CVE pages due to technical issues. This functionality is provided by new reporting features. For more information about creating and downloading vulnerability reports, see Vulnerability reporting.
Google Container Registry integration

The Google Container Registry integration is deprecated in response to the deprecation of Container Registry. You can use the Artifact Registry as a registry replacement and Scanner V4 as a scanner replacement.

For more information, see Transition from Container Registry (Google Cloud documentation).

GraphQL endpoints
All GraphQL endpoints are deprecated and are expected to be removed in a future release. The endpoints were created to support the RHACS portal. All other uses are unsupported.
GraphQL image scan components and image scan components vulns queries
The deprecated and unsupported GraphQL query of image scan components and image scan components vulns has been eliminated in favor of image scan imageComponents and image scan imageComponents imageVulnerabilities.
Kernel support packages and driver download functionality
Kernel support packages and driver download functionality are deprecated.
Manifest installation method, also called the roxctl CLI installation method
The manifest installation method is deprecated and is expected to be removed in the future. Manifest installation is currently done by using the roxctl {central,sensor,scanner} generate command in the CLI, or by choosing the legacy installation method in the RHACS portal. Use the Operator or Helm installation methods.
StackRox Scanner
Although the StackRox Scanner is deprecated, it still must be enabled on the cluster where Central is installed due to software dependencies.
Cluster CVEs and node CVEs suppress and unsuppress API objects
A feature flag controls these API objects, and you can enable or disable them by using the ROX_VULN_MGMT_LEGACY_SNOOZE environment variable. The format for specifying duration in JSON requests to v1/nodecves/suppress, v1/clustercves/suppress, and v1/imagecves/suppress has been changed to the ProtoJSON format. Only a numeric value representing seconds with optional fractional seconds for nanosecond precision and followed by the s suffix is supported, for example, 0.300s, -5400s, or 9900s. The previously valid time units of ns, us, µs, ms, m, and h are no longer supported.
Vulnerability Management (1.0) menu item
The Vulnerability Management Dashboard view is deprecated and is planned to be removed in a future release. You can use the User workload vulnerabilities, Exception management, Platform vulnerabilities, and Node CVEs views as alternatives.

1.5. Bug fixes in version 4.9.0
Copy link

Release date: 30 October 2025

  • Fixed a bug in the policy editor in the RHACS portal that causes environment variables criteria or Dockerfile criteria with a keyword of ENV to be malformed when the criteria value includes the = character.
  • With this release, when allowPrivilegeEscalation is not defined in a containers security context, RHACS assumes the value is true. As part of good security practices, this value would usually be explicitly set to false to provide better security and ensure that the container cannot access a parent process with higher privileges. Policies with that criteria also create violations on deployments with containers that do not have the allowPrivilegeEscalation field defined in their security context.
  • Before this update, the response times were slow because the serviceaccounts endpoint improperly handled pagination parameters and returned all service accounts. With this release, you can use the serviceaccounts endpoint, which considers pagination limits and therefore returns only the specified number of service accounts.
  • Before this update, you might have experienced a consistently growing Central database that caused constant resizing of the persistent volume claim (PVC) or service interruptions from a no space left on device error. With this release, if the hashes table is the source of the growth, you can turn off the feature by setting ROX_HASH_FLUSH_INTERVAL=0.
  • Before this update, Sensor’s failure to call stream.Recv() caused gRPC flow control to block image reprocessing every 4 hours. This update resolves the issue by including a timeout for sending messages to Sensors in the reprocessing loop, allowing image reprocessing to resume as expected.
  • With this update, we have streamlined our Central startup process, making the API endpoint available sooner.
  • The RHACS 4.7.7, 4.8.3, and 4.8.4 releases set mediaType on container images to oci which is not compatible with some older registries and could break image mirroring. In this release, the mediaType is reverted to docker so that RHACS product images can be mirrored in older image registries not supporting the oci mediaType.
  • With this release, the gRPC framework better propagates server name information to the processing of requests. This ensures benefits that include the generation of a correct redirect URI for the OpenShift Container Platform authentication backend, and as a consequence, a working OpenShift Container Platform authentication flow.
  • The matching logic for the process arguments criterion in security policies is fixed to do a "contains" match for the supplied values, instead of a whole string match.
  • Before this update, diagnostic bundles included telemetry gathering information from all clusters without respecting the cluster filter. As a consequence, users experienced slow diagnostic bundle creation for large fleet clusters. With this release, diagnostic bundle generation respects cluster filters and diagnostic bundle generation for large fleets is faster.
  • Fixed a bug that caused secured clusters to get stuck in a pending, or locked, state when an API referenced by Helm was removed from the cluster.
  • Fixed a bug where searching on an unknown label caused Central to crash.
  • Fixed an issue that could cause database connection exhaustion when many sensors try to reconnect at the same time.

  • Various bugs for Compliance Operator were fixed and improvements were made, including the following items:

    • Profiles are better mapped to specific Coverage tabs, for example, OCP4-CIS is displayed under the CIS tab.
    • BSI profiles now display in their own tab, instead of in the Other tab in the Coverage page.
    • Scans can be scheduled for node profiles of different products.
    • Sensor retries and waits longer for Compliance Operator and related Kubernetes resource creation.

1.6. About release 4.9.1
Copy link

Release date: 24 November 2025

This release provides the following bug fixes:

  • Fixed an issue where upgrades to 4.9 took longer than expected. Optimized the database migration for process indicators added in version 4.9 by implementing a strategy to drop indices before migration and rebuild them after, significantly improving performance.
  • Fixed an issue where automatically re-scanned images failed to suppress deferred CVEs in the RHACS portal, causing the CVEs to reappear in results and reports.
  • Fixed an issue that caused Central to panic and terminate Sensor connections when a Sensor sent an event type that was unknown to Central. This issue occurred specifically when Sensor version 4.9 ran with Central version 4.7 or 4.8 on an RHOCPV cluster. The fix ensures Central operates normally under these conditions and also improves future compatibility between Central version 4.9 and Sensor.
  • Fixed an issue where Sensor sent VM data even when the feature flag ROX_VIRTUAL_MACHINES was not enabled, causing Central to terminate Sensor connections when it received unknown event types. If you are testing the support for scanning virtual machines developer preview feature, you must use Sensor and Central version 4.9.0 and later.
  • Fixed an issue where the SensorCAHashExtension logger name accumulated indefinitely in the Operator logs, making the logs unreadable.

This release also addresses the following security vulnerability:

1.7. About release 4.9.2
Copy link

Release date: 16 December 2025

This release provides the following bug fixes:

  • Fixed inconsistent casing validation for policy categories that allowed creation of duplicate categories.
  • Fixed an issue that caused slow response times when listing images by preventing the unnecessary retrieval of image components and CVEs from the database.

1.8. About release 4.9.3
Copy link

Release date: 17 February 2026

This release provides the following bug fixes:

  • Fixed an issue where the lack of Go 1.25 updates on non-master branches caused continuos integration (CI) images to use unsupported versions. The system now incorporates Go 1.25 across all relevant branches, providing necessary support for RHACS 4.8.8 and RHACS 4.9.3 while addressing known security vulnerabilities.
  • Fixed an issue where deployments with an empty SecurityContext failed to trigger Container with privilege escalation allowed violations. The system now correctly defaults to allowPrivilegeEscalation: true when the field is unspecified, ensuring consistent policy enforcement across all the deployments.
  • Fixed an issue where the Central pod could panic due to context timeouts during Postgres database operations, which caused readiness probe failures after upgrading to RHACS 4.9.0.
  • Fixed an issue where database operations incorrectly created new connections instead of reusing existing connections during transactions by ensuring that db.Begin correctly returns the transaction in context.
  • Fixed an issue where database transactions could fail to commit or roll back if the operation context expired, by ensuring that Begin validates the input context and returns a child context with an independent deadline for transaction finalization.
  • When restoring Central custom resources (CRs) from a backup, automatic certificate rotation is not enabled because central-tls is not owned by the Operator. With the fix, Central CRs restored from backup will have automatic certificate rotation enabled.

This release also addresses the following security vulnerabilities:

  • GnuGP memory corruption vulnerability can allow information disclosure and potential arbitrary code execution (CVE-2025-68973)
  • Uncontrolled recursion vulnerability in node-forge allows unauthenticated attackers to cause a denial of service through stack exhaustion by providing crafted deep ASN.1 structures (CVE-2025-66031)
  • Denial of service vulnerability in sigstore/timestamp-authority allows unauthenticated attackers to trigger excessive memory allocation and CPU consumption through malformed object identifiers (OIDs) or Content-Type headers (CVE-2025-66564)
  • Denial of service vulnerability in Fulcio allows unauthenticated attackers to trigger excessive memory allocation and resource exhaustion through crafted OpenID Connect (OIDC) tokens containing excessive period characters (CVE-2025-66506)
  • Denial of service vulnerability in archive/tar allows attackers to cause unbounded memory allocation and resource exhaustion through crafted GNU sparse maps in tar archives (CVE-2025-58183)
  • Interpretation conflict vulnerability in node-forge allows unauthenticated attackers to bypass downstream cryptographic verifications and security decisions (CVE-2025-12816)
  • Flaw in qs allows a remote attacker to exploit an improper input validation vulnerability (CVE-2025-15284)
  • Vulnerability in jsPDF allows local file inclusion and path traversal (CVE-2025-68428)
  • React Router is vulnerable to XSS by open redirects or when creating redirect paths from untrusted content in framework mode, data mode, or the unstable RSC modes (CVE-2026-22029)

1.9. About release 4.9.4
Copy link

Release date: 16 March 2026

This release provides the following bug fixes:

  • Before this update, when Sensor failed to connect to Central due to TLS issues, the logs provided inaccurate messages about cluster IDs. With this release, Red Hat improved the Sensor logs for TLS issues by removing misleading information about cluster IDs so that you can better diagnose the cause of connection failures.
  • Fixed an issue where an invalid machine-to-machine configuration could cause database connections to get stuck.
  • Before this update, you might have experienced mTLS handshake failures between Sensor and Scanner V4 Indexer due to misaligned certificate authority (CA) rotations in your co-located deployments. This issue prevented Sensor from successfully scanning images within the OpenShift Container Platform internal registry. With this release, you can now scan OpenShift Container Platform internal registry images in co-located deployments without encountering x509 certificate errors.

Before this update, a connection leak in the DeleteClusterCVEsForCluster function caused database connection issues during rollbacks. As a consequence, you experienced connection issues when you deleted cluster CVEs. With this release, Red Hat fixed the connection leak by ensuring the system performs a proper rollback during database operations.

This release also addresses the following security vulnerabilities:

  • urllib3: Unbounded decompression chain leads to resource exhaustion (CVE-2025-66418)
  • urllib3: Streaming API improperly handles highly compressed data (CVE-2025-66471)
  • golang: Excessive resource consumption in crypto/x509 HostnameError when printing certificate validation errors due to unbounded host list and quadratic string concatenation (CVE-2025-61729)
  • golang: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728)
  • golang: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
  • jsPDF: Arbitrary code execution via unsanitized input in Acroform module (CVE-2026-24737)
  • jsPDF: Cross-user Data Leakage via race condition in addJS method (CVE-2026-24040)
  • lodash: Prototype pollution in _.unset and _.omit functions (CVE-2025-13465)
  • urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API) (CVE-2026-21441)

1.10. About release 4.9.5
Copy link

Release date: 8 April 2026

This release provides the following bug fixes:

  • Before this update, Helm charts did not configure image pull secrets for the Scanner service account when you disabled Scanner V4 and used only Scanner V2. This caused Scanner images to fail to pull. With this release, Red Hat has corrected the Helm chart configuration to properly inject image pull secrets into the Scanner service account. As a result, Scanner images pull successfully in all configurations.
  • Before this update, selected execution paths in Sensor did not check whether the cluster entities store history enabled or disabled the history feature. This caused an issue where Sensor allocated memory that was never used for clusters with enabled history. With this release, Red Hat has added a check for cluster entities history to prevent unnecessary storage. As a result, the system maintains optimal memory usage because it no longer stores unnecessary items in the cluster entities store history.
  • Before this update, the endpointsStore.addToHistory function performed unnecessary operations, which increased sensor CPU load and elevated event-processing latency in larger clusters. With this release, Red Hat has improved CPU efficiency in endpointsStore mutations to reduce latency. As a result, the system processes events faster and maintains lower CPU usage in large clusters with many endpoints.

This release addresses the following security vulnerabilities:

  • jsPDF:

    • Denial of service via malicious GIF dimensions (CVE-2026-25535)
    • PDF object injection via unsanitized input in addJS method (CVE-2026-25755)
    • PDF injection in AcroForm module allows arbitrary JavaScript execution (CVE-2026-25940)
    • Cross site scripting via unsanitized output options (CVE-2026-31938)
    • CVE-2026-31898 Arbitrary code execution via unsanitized input in createAnnotation method (CVE-2026-31898)

  • fast-xml-parser:

    • fast-xml-parser has RangeError DoS numeric entities bug (CVE-2026-25128)
    • Denial of service via unlimited XML entity expansion (CVE-2026-26278)
    • Cross-site scripting (XSS) due to improper <DOCTYPE> entity handling (CVE-2026-25896)
    • Stack overflow leads to denial of service (CVE-2026-27942)
    • Denial of service via XML entity expansion bypass (CVE-2026-33036)

  • gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186)

    Note

    This CVE is not addressed in Scanner V2 images in this release.

1.11. About release 4.9.6
Copy link

Release date: 6 May 2026

This release provides the following bug fixes:

  • Before this update, the documentation for Central exposure route reencrypt TLS certificate and key configuration requirements was unclear. Users attempting to configure these fields encountered Operator failures with the following error message:

    FATAL ERROR: The reencrypt route must specify either both, certificate and key, or neither.

    With this release, Red Hat has clarified the documentation to specify that users must configure the certificate and key fields together or omit both. As a result, users can now correctly configure reencrypt routes.

This release addresses the following security vulnerabilities:

  • Security vulnerability in OpenTelemetry components (CVE-2026-24051)
  • Security vulnerability in Docker components (CVE-2025-15558)
  • Kubelet, CRI-O, kube-apiserver: Denial of service via SPDY streaming code (CVE-2026-35469)
  • github.com/jackc/pgx: Memory-safety vulnerability (CVE-2026-33815, CVE-2026-33816)
  • Go JOSE: Denial of service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)
  • gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186)
  • Immutable.js: Improperly controlled modification of object prototype attributes (prototype pollution) in immutable (CVE-2026-29063)

1.12. About release 4.9.7
Copy link

Release date: 2 June 2026

This release provides the following bug fixes:

  • Before this update, CVE severity ratings displayed inconsistent values in the RHACS portal. When users viewed the same CVE on different pages, the severity level could appear as "Critical" on the image page but "Important" on the CVE page. With this release, Red Hat has corrected the severity calculation logic. As a result, CVE severity ratings now display consistently across all pages.

This release addresses the following security vulnerabilities:

  • gosaml2:

  • Axios:

    • Invisible JSON response tampering via prototype pollution gadget (CVE-2026-42044)
    • Authentication bypass due to prototype pollution of HTTP error handling (CVE-2026-42041)
    • Denial of service via unbounded recursion in toFormData with deeply nested request data (CVE-2026-42039)
    • NO_PROXY bypass via crafted URL (CVE-2026-42043)
    • HTTP transport hijacking via prototype pollution (CVE-2026-42033)
    • Arbitrary HTTP header injection via prototype pollution (CVE-2026-42035)
    • Remote code execution via prototype pollution escalation (CVE-2026-40175)
    • Server-side request forgery and proxy bypass due to improper hostname normalization (CVE-2025-62718)
  • follow-redirects: Information disclosure via cross-domain redirects (CVE-2026-40895)
  • Go crypto/x509: Denial of service via inefficient certificate chain validation (CVE-2026-32281)

1.13. Image versions
Copy link

You can manually pull, retag, and push Red Hat Advanced Cluster Security for Kubernetes (RHACS) images to your registry. The current version includes the following images:

Expand
Table 1.3. Red Hat Advanced Cluster Security for Kubernetes images
ImageDescriptionCurrent version

Main

Includes Central, Sensor, Admission controller, and Compliance components. Also includes roxctl for use in continuous integration (CI) systems.

registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.9.7

Central DB

PostgreSQL instance that provides the database storage for Central.

registry.redhat.io/advanced-cluster-security/rhacs-central-db-rhel8:4.9.7

Scanner

Scans images and nodes.

  1. registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:4.9.7
  2. registry.redhat.io/advanced-cluster-security/rhacs-scanner-slim-rhel8:4.9.7

Scanner DB

Stores image scan results and vulnerability definitions.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:4.9.7

Scanner V4

Scans images.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-v4-rhel8:4.9.7

Scanner V4 DB

Stores image scan results and vulnerability definitions for Scanner V4.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.9.7

Collector

Collects runtime activity in Kubernetes or OpenShift Container Platform clusters.

registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8:4.9.7

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Legal Notice

Theme

© 2026 Red HatBack to top