Openshift-gitops-operator: openshift gitops: namespace admin cluster takeover via privileged jobs

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Description

A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in other namespaces, including privileged namespaces. An authenticated attacker can then use these elevated permissions to create privileged workloads that run on master nodes, effectively giving them root access to the entire cluster.

AI Analysis

Namespace admins can create ArgoCD Custom Resources that grant elevated permissions, allowing creation of privileged workloads and root access to the cluster.

Basic Information

ID CVE-2025-13888

Source redhat

Published Dec 15, 2025 at 15:36

Modified Dec 15, 2025 at 15:50

Affected Product

Vendor Red Hat

Product Red Hat OpenShift GitOps 1.18

Version sha256:7f6e588459ff59366a9f8f8f32a784806af11931f8584e46e1d53472a2e010a9

CWE Classification

CWE-266

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor Red Hat

Product OpenShift GitOps

Version 1.18

References

{
    "lastseen": "",
    "description": "A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in other namespaces, including privileged namespaces. An authenticated attacker can then use these elevated permissions to create privileged workloads that run on master nodes, effectively giving them root access to the entire cluster.",
    "published": "2025-12-15T15:36:49.274Z",
    "modified": "2025-12-15T15:50:21.160Z",
    "type": "cve",
    "title": "Openshift-gitops-operator: openshift gitops: namespace admin cluster takeover via privileged jobs",
    "source": "redhat",
    "references": "https://access.redhat.com/errata/RHSA-2025:23203\nhttps://access.redhat.com/security/cve/CVE-2025-13888\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2418361",
    "id": "CVE-2025-13888",
    "bulletinFamily": "",
    "cwe": [
        "CWE-266"
    ],
    "cvelist": null,
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Red Hat OpenShift GitOps 1.18",
    "version": "sha256:7f6e588459ff59366a9f8f8f32a784806af11931f8584e46e1d53472a2e010a9",
    "vendor": "Red Hat",
    "ai_description": "Namespace admins can create ArgoCD Custom Resources that grant elevated permissions, allowing creation of privileged workloads and root access to the cluster.",
    "ai_severity": "Critical",
    "ai_vendor": "Red Hat",
    "ai_product": "OpenShift GitOps",
    "ai_version": "1.18",
    "ai_score": 9.1
}

Openshift-gitops-operator: openshift gitops: namespace admin cluster takeover via privileged jobs_CVE-2025-13888