OpenShift GitOps Operator Vulnerability Affecting ClusterRole Management
CVE-2026-14251

7.7HIGH

Key Information:

Vendor

Red Hat

Vendor
CVE Published:
15 July 2026

What is CVE-2026-14251?

A vulnerability exists in the OpenShift GitOps operator, where the ClusterRole reconciler fails to properly validate resource ownership. This lack of validation allows for a namespace-scoped Argo CD instance to potentially trigger the deletion of a ClusterRole that is owned by a cluster-scoped Argo CD instance. Through a maliciously crafted name collision, this could result in unexpected service disruptions and denial of service conditions, impacting the reliability of applications utilizing the affected operator.

References

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Nebojša Jaćović for reporting this issue.
.