OpenShift GitOps Operator Vulnerability Affecting ClusterRole Management
CVE-2026-14251
7.7HIGH
What is CVE-2026-14251?
A vulnerability exists in the OpenShift GitOps operator, where the ClusterRole reconciler fails to properly validate resource ownership. This lack of validation allows for a namespace-scoped Argo CD instance to potentially trigger the deletion of a ClusterRole that is owned by a cluster-scoped Argo CD instance. Through a maliciously crafted name collision, this could result in unexpected service disruptions and denial of service conditions, impacting the reliability of applications utilizing the affected operator.
References
CVSS V3.1
Score:
7.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Red Hat would like to thank Nebojša Jaćović for reporting this issue.