Description
A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates on applications managed by other tenants. This leads to cross-namespace privilege escalation, impacting application integrity through unauthorized application updates.
Published: 2026-04-15
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑namespace privilege escalation leading to unauthorized image updates and application integrity loss
Action: Apply Workaround
AI Analysis

Impact

The flaw lies in ArgoCD Image Updater, permitting an attacker who can create or edit an ImageUpdater resource in a multi‑tenant environment to bypass namespace boundaries due to insufficient validation. The attacker can trigger image updates on applications belonging to other tenants, escalating privileges across namespaces and compromising the integrity of those applications.

Affected Systems

Red Hat OpenShift GitOps (v1 or unspecified) is the affected product, as identified by the Red Hat CPE entry cpe:/a:redhat:openshift_gitops:1.

Risk and Exploitability

The CVSS score of 9.1 indicates a high‑severity vulnerability. While the EPSS score is not available and the vulnerability is not listed in the KEV catalog, the lack of public exploits does not mitigate the risk. Attackers need only the ability to create or edit ImageUpdater resources, a privilege that can be granted to cluster‑admin or project‑admin roles. Once granted, the attacker can perform unrestricted image updates across namespaces, effectively achieving cross‑namespace privilege escalation. The attack vector is inferred to be privilege‑based, relying on misconfigured or overly permissive RBAC.

Generated by OpenCVE AI on April 16, 2026 at 02:17 UTC.

Remediation

Vendor Workaround

Ensure that `AppProject` resources are configured to enforce strict tenant isolation within Red Hat OpenShift GitOps environments. Additionally, restrict the permissions of the Argo CD Image Updater controller to operate only within its designated namespaces, and limit the ability of users to create or modify `ImageUpdater` resources to trusted administrators. This reduces the risk of unauthorized cross-namespace application updates.

OpenCVE Recommended Actions

  • Configure AppProject resources to enforce strict tenant isolation within Red Hat OpenShift GitOps environments.
  • Restrict the permissions of the Argo CD Image Updater controller so that it can operate only within its intended namespaces.
  • Limit the ability of users to create or modify ImageUpdater resources to trusted administrators only.
  • Audit RBAC policies to ensure that only necessary roles have permissions to manage ImageUpdater resources.
  • Deploy the latest Red Hat OpenShift GitOps release once an official patch becomes available.

Generated by OpenCVE AI on April 16, 2026 at 02:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 15 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates on applications managed by other tenants. This leads to cross-namespace privilege escalation, impacting application integrity through unauthorized application updates.
Title Argocd-image-updater: argocd image updater: cross-namespace privilege escalation via insufficient namespace validation
First Time appeared Redhat
Redhat openshift Gitops
Weaknesses CWE-1220
CPEs cpe:/a:redhat:openshift_gitops:1
Vendors & Products Redhat
Redhat openshift Gitops
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L'}

Subscriptions

Redhat Openshift Gitops
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-16T14:26:23.879Z

Reserved: 2026-04-15T19:29:52.786Z

Link: CVE-2026-6388

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-15T22:17:22.583

Modified: 2026-04-15T22:17:22.583

Link: CVE-2026-6388

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-15T19:30:41Z

Links: CVE-2026-6388 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:00:05Z

Weaknesses