PT-2026-57989 · Red Hat+1 · Openshift Data Foundation+2
Published
2026-07-14
·
Updated
2026-07-14
·
CVE-2026-15416
CVSS v3.1
8.9
High
| Vector | AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
OpenShift Data Foundation 4
odf-multicluster-rhel9-operator (affected versions not specified)
OpenShift GitOps argocd-image-updater-rhel8 (affected versions not specified)
OpenShift GitOps argocd-rhel8 (affected versions not specified)
OpenShift GitOps gitops-operator-bundle (affected versions not specified)
OpenShift GitOps gitops-rhel8 (affected versions not specified)
OpenShift GitOps gitops-rhel8-operator (affected versions not specified)Description
A flaw in the Argo CD repo-server allows an unauthenticated attacker with network access to the internal gRPC endpoint to achieve remote code execution. If the attacker can also access the Redis cache, they may manipulate cached deployment data to deploy malicious Kubernetes resources to managed clusters, which could lead to a complete cluster compromise.
Recommendations
Lock down the repo-server and Redis services using NetworkPolicies to ensure they are not exposed externally or to untrusted pods.
Apply vendor fixes for
odf-multicluster-rhel9-operator, argocd-image-updater-rhel8, argocd-rhel8, gitops-operator-bundle, gitops-rhel8, and gitops-rhel8-operator as they become available.Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Argo Cd
Openshift Data Foundation
Openshift Gitops