{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6388", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-04-15T19:29:52.786Z", "datePublished": "2026-04-15T21:34:07.022Z", "dateUpdated": "2026-04-15T21:34:07.022Z"}, "containers": {"cna": {"title": "Argocd-image-updater: argocd image updater: cross-namespace privilege escalation via insufficient namespace validation", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates on applications managed by other tenants. This leads to cross-namespace privilege escalation, impacting application integrity through unauthorized application updates."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat OpenShift GitOps", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openshift-gitops-1/argocd-image-updater-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openshift_gitops:1"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-6388", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458766", "name": "RHBZ#2458766", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-04-15T19:30:41.686Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-1220", "description": "Insufficient Granularity of Access Control", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-1220: Insufficient Granularity of Access Control", "workarounds": [{"lang": "en", "value": "Ensure that `AppProject` resources are configured to enforce strict tenant isolation within Red Hat OpenShift GitOps environments. Additionally, restrict the permissions of the Argo CD Image Updater controller to operate only within its designated namespaces, and limit the ability of users to create or modify `ImageUpdater` resources to trusted administrators. This reduces the risk of unauthorized cross-namespace application updates."}], "timeline": [{"lang": "en", "time": "2026-04-15T19:29:41.063Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-15T19:30:41.686Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-15T21:34:07.022Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates on applications managed by other tenants. This leads to cross-namespace privilege escalation, impacting application integrity through unauthorized application updates."}], "id": "CVE-2026-6388", "lastModified": "2026-04-15T22:17:22.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.3, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2026-04-15T22:17:22.583", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2026-6388"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458766"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1220"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"bugzilla": {"description": "argocd-image-updater: ArgoCD Image Updater: Cross-Namespace Privilege Escalation via insufficient namespace validation", "id": "2458766", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458766"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L", "status": "draft"}, "cwe": "CWE-1220", "details": ["A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates on applications managed by other tenants. This leads to cross-namespace privilege escalation, impacting application integrity through unauthorized application updates."], "mitigation": {"lang": "en:us", "value": "Ensure that `AppProject` resources are configured to enforce strict tenant isolation within Red Hat OpenShift GitOps environments. Additionally, restrict the permissions of the Argo CD Image Updater controller to operate only within its designated namespaces, and limit the ability of users to create or modify `ImageUpdater` resources to trusted administrators. This reduces the risk of unauthorized cross-namespace application updates."}, "name": "CVE-2026-6388", "package_state": [{"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-image-updater-rhel8", "product_name": "Red Hat OpenShift GitOps"}], "public_date": "2026-04-15T19:30:41Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-6388\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6388"], "statement": "Critical: A cross-namespace privilege escalation flaw in Argo CD Image Updater, a component of Red Hat OpenShift GitOps, allows an attacker with permissions to create or modify `ImageUpdater` resources to trigger unauthorized image updates on applications in other namespaces. This impacts multi-tenant environments where the controller operates with broad cluster-level permissions. Red Hat OpenShift GitOps versions prior to v1.19.2 are affected.", "threat_severity": "Important"}