Privilege Escalation Vulnerability in OpenShift GitOps by Red Hat
CVE-2025-13888

9.1CRITICAL

Key Information:

Vendor

Red Hat-developer

Status
Gitops-operator
Red Hat Openshift Gitops 1.16
Red Hat Openshift Gitops 1.17
Red Hat Openshift Gitops 1.18
Vendor
CVE Published:
15 December 2025

What is CVE-2025-13888?

A security flaw exists in OpenShift GitOps that enables namespace administrators to create ArgoCD Custom Resources (CRs) leading to unauthorized escalations of privileges across different namespaces. This can permit authenticated attackers to gain access to privileged workloads operating on master nodes, thereby potentially granting root-level access to the entire cluster. Proper patching and security measures are imperative to mitigate this vulnerability.

Affected Version(s)

gitops-operator 0 < 1.16.2

Red Hat OpenShift GitOps 1.16 sha256:bcc192e3e9ff8dfd15bd311fdeda919653721e85338c96d5ad29fa6f1e4e3365

Red Hat OpenShift GitOps 1.17 sha256:27e7a59bb5c5f60be7509e5f4f07f4181d62e6583a943c46f56f568bfc30c2c1

References

https://access.redhat.com/errata/RHSA-2025:23203
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2025:23206
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2025:23207
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-13888 : Privilege Escalation Vulnerability in OpenShift GitOps by Red Hat