Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
UtiliaCS 320x100
HackTheBox 970x120 1
Critical Red Hat OpenShift GitOps Vulnerability Exposed

Critical Red Hat OpenShift GitOps Vulnerability Exposed

16 December 2025 07:15

A critical flaw has been discovered in Red Hat OpenShift GitOps, putting Kubernetes clusters at risk by allowing users with reduced permissions to gain full control of them. OpenShift GitOps is designed to automate deployments using Git as the single source. However, researchers found that the permissions model for creating ArgoCD CRs is too permissive.

“If you can create CR ArgoCD, you can essentially take over the entire cluster,” the vulnerability report states. This vulnerability, classified as CVE-2025-13888 and assigned a severity score of 9.1, classified as critical, allows administrators of a specific namespace to manipulate the system to gain root access to the entire cluster.

The consequences are:

  • Privilege Grant: The operator creates a RoleBinding that binds the attacker’s ArgoCD instance to the target namespace.
  • Privileged workloads: By targeting a namespace with a privileged security context constraint (SCC), such as default, the attacker gains the ability to run privileged work.
  • Cluster Takeover: Work can also be run on the master nodes, so essentially I have root access to the master nodes and can take complete control of the cluster without any issues.

The vulnerability lies in the way the GitOps operator handles ArgoCD custom resources (CRs), effectively turning a standard administrative feature into a privilege escalation weapon.

The attack vector works by manipulating the sourceNamespaces field within an ArgoCD CR. A namespace administrator, typically limited to managing their own isolated portion of the cluster, can define a target namespace (even a privileged default) in this field.

Administrators are strongly advised to verify OpenShift GitOps operator versions and apply the latest security patches immediately. Restricting the ability to create custom ArgoCD resources to trusted cluster administrators can also serve as a temporary mitigation.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Cropped RHC 3d Transp2 1766828557 300x300
The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.