Description
A flaw was identified in Argo CD, the GitOps engine used by Red Hat OpenShift GitOps, that could allow an unauthenticated attacker with network access to the Argo CD repo-server to achieve remote code execution. Under certain conditions, the attacker may then manipulate cached data to deploy malicious Kubernetes resources to managed clusters, potentially resulting in complete cluster compromise.
Published: 2026-07-14
Score: 8.9 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

Vendor Workaround

Limit network access to the Argo CD repo-server gRPC endpoint to trusted internal components using Kubernetes NetworkPolicy or equivalent network access controls. Do not expose the repo-server outside the cluster or to untrusted networks. Restrict access to the associated Redis service and update to a fixed version once one becomes available.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Jul 2026 10:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:ansible_portal:2
Vendors & Products Redhat ansible Portal

Tue, 14 Jul 2026 09:15:00 +0000

Type Values Removed Values Added
Description A flaw was identified in Argo CD, the GitOps engine used by Red Hat OpenShift GitOps, that could allow an unauthenticated attacker with network access to the Argo CD repo-server to achieve remote code execution. Under certain conditions, the attacker may then manipulate cached data to deploy malicious Kubernetes resources to managed clusters, potentially resulting in complete cluster compromise.
Title Argo-cd: argo cd unauthenticated remote code execution in repo-server via generatemanifest grpc endpoint
First Time appeared Redhat
Redhat ansible Portal
Redhat openshift Data Foundation
Redhat openshift Gitops
Weaknesses CWE-306
CPEs cpe:/a:redhat:ansible_portal:2
cpe:/a:redhat:openshift_data_foundation:4
cpe:/a:redhat:openshift_gitops:1
Vendors & Products Redhat
Redhat ansible Portal
Redhat openshift Data Foundation
Redhat openshift Gitops
References
Metrics cvssV3_1

{'score': 8.9, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}


Subscriptions

Redhat Openshift Data Foundation Openshift Gitops
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-14T09:36:27.643Z

Reserved: 2026-07-10T14:49:39.682Z

Link: CVE-2026-15416

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function