{"api_version":"1","generated_at":"2026-04-24T01:51:50+00:00","cve":"CVE-2026-6388","urls":{"html":"https://cve.report/CVE-2026-6388","api":"https://cve.report/api/cve/CVE-2026-6388.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-6388","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-6388"},"summary":{"title":"Argocd-image-updater: argocd image updater: cross-namespace privilege escalation via insufficient namespace validation","description":"A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates on applications managed by other tenants. This leads to cross-namespace privilege escalation, impacting application integrity through unauthorized application updates.","state":"PUBLISHED","assigner":"redhat","published_at":"2026-04-15 22:17:22","updated_at":"2026-04-17 15:38:09"},"problem_types":["CWE-1220","CWE-1220 Insufficient Granularity of Access Control"],"metrics":[{"version":"3.1","source":"secalert@redhat.com","type":"Primary","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"LOW"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L","version":"3.1"}}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-6388","name":"https://access.redhat.com/security/cve/CVE-2026-6388","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2458766","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2458766","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-6388","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6388","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift GitOps","version":"","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-04-15T19:29:41.063Z","lang":"en","value":"Reported to Red Hat."},{"source":"CNA","time":"2026-04-15T19:30:41.686Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[{"source":"CNA","title":"","value":"Ensure that `AppProject` resources are configured to enforce strict tenant isolation within Red Hat OpenShift GitOps environments. Additionally, restrict the permissions of the Argo CD Image Updater controller to operate only within its designated namespaces, and limit the ability of users to create or modify `ImageUpdater` resources to trusted administrators. This reduces the risk of unauthorized cross-namespace application updates.","time":"","lang":"en"}],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"6388","cve":"CVE-2026-6388","epss":"0.000310000","percentile":"0.089040000","score_date":"2026-04-21","updated_at":"2026-04-22 00:07:41"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-6388","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-04-16T14:21:22.834646Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-16T14:26:23.879Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_gitops:1"],"defaultStatus":"affected","packageName":"openshift-gitops-1/argocd-image-updater-rhel8","product":"Red Hat OpenShift GitOps","vendor":"Red Hat"}],"datePublic":"2026-04-15T19:30:41.686Z","descriptions":[{"lang":"en","value":"A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates on applications managed by other tenants. This leads to cross-namespace privilege escalation, impacting application integrity through unauthorized application updates."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1220","description":"Insufficient Granularity of Access Control","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-15T21:34:07.022Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-6388"},{"name":"RHBZ#2458766","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2458766"}],"timeline":[{"lang":"en","time":"2026-04-15T19:29:41.063Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-04-15T19:30:41.686Z","value":"Made public."}],"title":"Argocd-image-updater: argocd image updater: cross-namespace privilege escalation via insufficient namespace validation","workarounds":[{"lang":"en","value":"Ensure that `AppProject` resources are configured to enforce strict tenant isolation within Red Hat OpenShift GitOps environments. Additionally, restrict the permissions of the Argo CD Image Updater controller to operate only within its designated namespaces, and limit the ability of users to create or modify `ImageUpdater` resources to trusted administrators. This reduces the risk of unauthorized cross-namespace application updates."}],"x_generator":{"engine":"cvelib 1.8.0"},"x_redhatCweChain":"CWE-1220: Insufficient Granularity of Access Control"}},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2026-6388","datePublished":"2026-04-15T21:34:07.022Z","dateReserved":"2026-04-15T19:29:52.786Z","dateUpdated":"2026-04-16T14:26:23.879Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-15 22:17:22","lastModifiedDate":"2026-04-17 15:38:09","problem_types":["CWE-1220","CWE-1220 Insufficient Granularity of Access Control"],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":3.1,"impactScore":5.3}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"6388","Ordinal":"1","Title":"Argocd-image-updater: argocd image updater: cross-namespace priv","CVE":"CVE-2026-6388","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"6388","Ordinal":"1","NoteData":"A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates on applications managed by other tenants. This leads to cross-namespace privilege escalation, impacting application integrity through unauthorized application updates.","Type":"Description","Title":"Argocd-image-updater: argocd image updater: cross-namespace priv"}]}}}