PT-2026-57989 · Red Hat+1 · Openshift Data Foundation+2

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-15416

CVSS v3.1

8.9

High

VectorAV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Name of the Vulnerable Software and Affected Versions OpenShift Data Foundation 4 odf-multicluster-rhel9-operator (affected versions not specified) OpenShift GitOps argocd-image-updater-rhel8 (affected versions not specified) OpenShift GitOps argocd-rhel8 (affected versions not specified) OpenShift GitOps gitops-operator-bundle (affected versions not specified) OpenShift GitOps gitops-rhel8 (affected versions not specified) OpenShift GitOps gitops-rhel8-operator (affected versions not specified)
Description A flaw in the Argo CD repo-server allows an unauthenticated attacker with network access to the internal gRPC endpoint to achieve remote code execution. If the attacker can also access the Redis cache, they may manipulate cached deployment data to deploy malicious Kubernetes resources to managed clusters, which could lead to a complete cluster compromise.
Recommendations Lock down the repo-server and Redis services using NetworkPolicies to ensure they are not exposed externally or to untrusted pods. Apply vendor fixes for odf-multicluster-rhel9-operator, argocd-image-updater-rhel8, argocd-rhel8, gitops-operator-bundle, gitops-rhel8, and gitops-rhel8-operator as they become available.

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-15416

Affected Products

Argo Cd
Openshift Data Foundation
Openshift Gitops