CVE-2025-13888 CRITICAL

CVE-2025-13888: Openshift-gitops-operator: openshift gitops: namespace admin cluster takeover via privileged jobs

Vendor Redhat-Developer
Product gitops-operator
Weakness CWE-266
Published December 15, 2025
Last update January 22, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in other namespaces, including privileged namespaces. An authenticated attacker can then use these elevated permissions to create privileged workloads that run on master nodes, effectively giving them root access to the entire cluster.

Key dates

02Disclosure timeline

December 15, 2025 CVE published
January 22, 2026 Record updated