CVE-2026-6388
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
Summary
A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates on applications managed by other tenants. This leads to cross-namespace privilege escalation, impacting application integrity through unauthorized application updates.
Affected Software
| Vendor | Product | Version Range | Status |
|---|
Weaknesses
- CWE-1220: Insufficient Granularity of Access Control
Workarounds
Ensure that AppProject resources are configured to enforce strict tenant isolation within Red Hat OpenShift GitOps environments. Additionally, restrict the permissions of the Argo CD Image Updater controller to operate only within its designated namespaces, and limit the ability of users to create or modify ImageUpdater resources to trusted administrators. This reduces the risk of unauthorized cross-namespace application updates.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
argocd-image-updater: ArgoCD Image Updater: Cross-Namespace Privilege Escalation via insufficient namespace validation
Additional References
- https://access.redhat.com/security/cve/CVE-2026-6388
- https://bugzilla.redhat.com/show_bug.cgi?id=2458766
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6388.json
References
- https://access.redhat.com/security/cve/CVE-2026-6388
- https://bugzilla.redhat.com/show_bug.cgi?id=2458766
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.