CVE-2025-13888
Published: Dec 15, 2025
Modified: Jan 22, 2026
CVSS v3.1
9.1
Description
A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in other namespaces, including privileged namespaces. An authenticated attacker can then use these elevated permissions to create privileged workloads that run on master nodes, effectively giving them root access to the entire cluster.
| Vendor | Product | Versions |
|---|---|---|
redhat-developer | gitops-operator | affected 0 - < 1.16.2 |
Red Hat | Red Hat OpenShift GitOps 1.16 | unaffected sha256:c41c99f360a2515bce55c42e309e2c72500ba66d3a2c461412dee7de5ea9a9fa - < * |
Red Hat | Red Hat OpenShift GitOps 1.17 | unaffected sha256:27e7a59bb5c5f60be7509e5f4f07f4181d62e6583a943c46f56f568bfc30c2c1 - < * |
Red Hat | Red Hat OpenShift GitOps 1.18 | unaffected sha256:3eb6308c58365182b4b5b5aabf35754d821e25b8a04b0595900fb47d52cd3ecc - < * |
Red Hat | Red Hat OpenShift GitOps 1.18 | unaffected sha256:43ba408b8ed58259bf338fd29260d936fbde9846f772d0580b3e7486ef8ea300 - < * |
Red Hat | Red Hat OpenShift GitOps | All versions |
Weaknesses (CWE)
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now