Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 16 December 2025 07:15
A critical flaw has been discovered in Red Hat OpenShift GitOps, putting Kubernetes clusters at risk by allowing users with reduced permissions to gain full control of them. OpenShift GitOps is designed to automate deployments using Git as the single source. However, researchers found that the permissions model for creating ArgoCD CRs is too permissive.
“If you can create CR ArgoCD, you can essentially take over the entire cluster,” the vulnerability report states. This vulnerability, classified as CVE-2025-13888 and assigned a severity score of 9.1, classified as critical, allows administrators of a specific namespace to manipulate the system to gain root access to the entire cluster.
The consequences are:
The vulnerability lies in the way the GitOps operator handles ArgoCD custom resources (CRs), effectively turning a standard administrative feature into a privilege escalation weapon.
The attack vector works by manipulating the sourceNamespaces field within an ArgoCD CR. A namespace administrator, typically limited to managing their own isolated portion of the cluster, can define a target namespace (even a privileged default) in this field.
Administrators are strongly advised to verify OpenShift GitOps operator versions and apply the latest security patches immediately. Restricting the ability to create custom ArgoCD resources to trusted cluster administrators can also serve as a temporary mitigation.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
Redazione