GHSA-pcqx-8qww-7f4v

Suggest an improvement
Source
https://github.com/advisories/GHSA-pcqx-8qww-7f4v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-pcqx-8qww-7f4v/GHSA-pcqx-8qww-7f4v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pcqx-8qww-7f4v
Aliases
Published
2025-12-15T18:30:39Z
Modified
2026-01-22T18:50:35.696046Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
OpenShift GitOps authenticated attackers can obtain cluster root access through forged ArgoCD custom resources
Details

A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in other namespaces, including privileged namespaces. An authenticated attacker can then use these elevated permissions to create privileged workloads that run on master nodes, effectively giving them root access to the entire cluster.

Database specific 
{
    "cwe_ids": [
        "CWE-266"
    ],
    "severity": "CRITICAL",
    "nvd_published_at": "2025-12-15T16:15:50Z",
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-16T20:11:04Z"
}
References

Affected packages

Go / github.com/redhat-developer/gitops-operator

Package

Name
github.com/redhat-developer/gitops-operator
View open source insights on deps.dev
Purl
pkg:golang/github.com/redhat-developer/gitops-operator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.16.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-pcqx-8qww-7f4v/GHSA-pcqx-8qww-7f4v.json"