Skip to main content

OpenShift GitOps CVE-2026-14251

| EUVDEUVD-2026-44596 HIGH
Missing Authorization (CWE-862)
2026-07-15 redhat GHSA-g9w9-rqjq-9rf5
7.7
CVSS 3.1 · NVD
Share

Severity by source

Vendor (redhat) PRIMARY
HIGH
qualitative
NVD
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
vuln.today AI
7.7 HIGH

Authorized tenant controlling a namespace-scoped instance (PR:L) acts over the API (AV:N/AC:L) to delete another instance's ClusterRole (S:C), causing availability-only impact (A:H, C/I:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H

Primary rating from Vendor (redhat).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 15, 2026 - 08:01 vuln.today
CVE Published
Jul 15, 2026 - 07:01 cve.org
HIGH 7.7

DescriptionNVD

A flaw was found in the OpenShift GitOps operator. The ClusterRole reconciler does not validate resource ownership when reconciling ClusterRole objects. A namespace-scoped Argo CD instance can trigger deletion of a ClusterRole owned by a cluster-scoped Argo CD instance by crafting a name collision, resulting in a denial of service.

AnalysisAI

Denial of service in Red Hat OpenShift GitOps (Argo CD operator) lets a tenant who controls a namespace-scoped Argo CD instance delete a ClusterRole belonging to a cluster-scoped Argo CD instance by crafting a name collision. Because the ClusterRole reconciler skips ownership validation (CWE-862), a low-privileged tenant can disrupt a higher-privileged, cluster-wide GitOps instance across the trust boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Control a namespace-scoped Argo CD instance
Delivery
Craft colliding ClusterRole name
Exploit
Operator reconciler skips ownership check
Execution
Cluster-scoped instance's ClusterRole deleted
Impact
Cross-tenant GitOps denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already control a namespace-scoped Argo CD instance within an OpenShift GitOps deployment that ALSO runs a cluster-scoped Argo CD instance, and the attacker must craft a ClusterRole name collision so the operator's reconciler prunes the cluster-scoped instance's ClusterRole. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H, base 7.7) reflects a network-reachable, low-complexity action requiring only the low privileges of a tenant who already operates a namespace-scoped Argo CD instance, with a scope change (S:C) because the impact crosses from the attacker's tenant into the cluster-scoped instance's RBAC. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or compromised tenant who is permitted to run a namespace-scoped Argo CD instance configures it so its ClusterRole reconciler targets a name that collides with a ClusterRole owned by the platform team's cluster-scoped Argo CD instance. Because ownership is not validated, the operator prunes that ClusterRole, stripping the cluster-scoped instance of the RBAC it needs and denying service to all applications it manages. …
Remediation No vendor-released patch version is identified in the available data - the references point only to the Red Hat CVE page (https://access.redhat.com/security/cve/CVE-2026-14251) and Bugzilla 2484710 (https://bugzilla.redhat.com/show_bug.cgi?id=2484710), which should be monitored for the fixed operator version and applied via the OpenShift OperatorHub/OLM channel as soon as it ships. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all OpenShift GitOps deployments in your environment and assess whether multi-tenant isolation is active. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14251 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy