CVE-2025-13888

Published: Dec 15, 2025Modified: Jan 22, 2026

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Exploitability: 2.3 / Impact: 6.0

Source: secalert@redhat.com (Secondary)

Description

A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in other namespaces, including privileged namespaces. An authenticated attacker can then use these elevated permissions to create privileged workloads that run on master nodes, effectively giving them root access to the entire cluster.

Related CWEs

Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References (9)

https://access.redhat.com/errata/RHSA-2025:23203

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:23206

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:23207

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2026:1017

Source: secalert@redhat.com

https://access.redhat.com/security/cve/CVE-2025-13888

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2418361

Source: secalert@redhat.com

https://github.com/redhat-developer/gitops-operator/commit/bc6ac3e03d7c8b3db5d8f1770c868396a4c2dcef

Source: secalert@redhat.com

https://github.com/redhat-developer/gitops-operator/pull/897

Source: secalert@redhat.com

https://github.com/redhat-developer/gitops-operator/releases/tag/v1.16.2

Source: secalert@redhat.com

Timeline

No history available yet.