Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Authorized tenant controlling a namespace-scoped instance (PR:L) acts over the API (AV:N/AC:L) to delete another instance's ClusterRole (S:C), causing availability-only impact (A:H, C/I:N).
Primary rating from Vendor (redhat).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionNVD
A flaw was found in the OpenShift GitOps operator. The ClusterRole reconciler does not validate resource ownership when reconciling ClusterRole objects. A namespace-scoped Argo CD instance can trigger deletion of a ClusterRole owned by a cluster-scoped Argo CD instance by crafting a name collision, resulting in a denial of service.
AnalysisAI
Denial of service in Red Hat OpenShift GitOps (Argo CD operator) lets a tenant who controls a namespace-scoped Argo CD instance delete a ClusterRole belonging to a cluster-scoped Argo CD instance by crafting a name collision. Because the ClusterRole reconciler skips ownership validation (CWE-862), a low-privileged tenant can disrupt a higher-privileged, cluster-wide GitOps instance across the trust boundary. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already control a namespace-scoped Argo CD instance within an OpenShift GitOps deployment that ALSO runs a cluster-scoped Argo CD instance, and the attacker must craft a ClusterRole name collision so the operator's reconciler prunes the cluster-scoped instance's ClusterRole. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H, base 7.7) reflects a network-reachable, low-complexity action requiring only the low privileges of a tenant who already operates a namespace-scoped Argo CD instance, with a scope change (S:C) because the impact crosses from the attacker's tenant into the cluster-scoped instance's RBAC. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious or compromised tenant who is permitted to run a namespace-scoped Argo CD instance configures it so its ClusterRole reconciler targets a name that collides with a ClusterRole owned by the platform team's cluster-scoped Argo CD instance. Because ownership is not validated, the operator prunes that ClusterRole, stripping the cluster-scoped instance of the RBAC it needs and denying service to all applications it manages. … |
| Remediation | No vendor-released patch version is identified in the available data - the references point only to the Red Hat CVE page (https://access.redhat.com/security/cve/CVE-2026-14251) and Bugzilla 2484710 (https://bugzilla.redhat.com/show_bug.cgi?id=2484710), which should be monitored for the fixed operator version and applied via the OpenShift OperatorHub/OLM channel as soon as it ships. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all OpenShift GitOps deployments in your environment and assess whether multi-tenant isolation is active. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Openshift Gitops
View allA flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an
Remote code execution in the Argo CD repo-server component (as shipped in Red Hat OpenShift GitOps and the argoproj argo
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44596
GHSA-g9w9-rqjq-9rf5