Platform
kubernetes
Component
argocd-image-updater
Fixed in
1.10.0
2.5.4
CVE-2026-6388 is a privilege escalation vulnerability discovered in the ArgoCD Image Updater component. Exploitation allows an attacker with sufficient permissions to bypass namespace restrictions and trigger unauthorized image updates, potentially compromising application integrity within a multi-tenant environment. This vulnerability affects versions 1.0.0 through 2.5.3 of ArgoCD Image Updater. A patch is available in version 2.5.4.
CVE-2026-6388 in ArgoCD Image Updater, utilized within Red Hat OpenShift GitOps, poses a significant risk in multi-tenant environments. An attacker with permissions to create or modify ImageUpdater resources can bypass namespace boundaries. This stems from insufficient validation, allowing for the triggering of unauthorized image updates on applications managed by other tenants. The result is cross-namespace privilege escalation, impacting application integrity through unauthorized application updates. The CVSS score is 9.1, indicating a critical impact and a high likelihood of exploitation. Upgrading to version 2.5.4 or higher is strongly recommended to mitigate this risk.
An attacker in a namespace with permissions to create or modify ImageUpdater resources can manipulate the configuration of these resources to target images in other namespaces. By exploiting the lack of validation, the attacker can force the update of images in applications they do not control, potentially injecting malicious code or disrupting service. The complexity of exploitation depends on the attacker's permission level and namespace configuration. However, the ease with which namespace security can be bypassed makes this vulnerability particularly concerning in multi-tenant environments.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-6388 is to upgrade ArgoCD Image Updater to version 2.5.4 or later. This version includes the necessary fixes to address the insufficient validation and prevent cross-namespace privilege escalation. Additionally, review and audit all existing ImageUpdater resources to identify any misconfigurations that could be exploited. Implementing strict access control policies to limit the permissions of users creating or modifying ImageUpdater resources is a crucial preventative measure. Monitoring ArgoCD logs for suspicious activity related to image updates can help detect and respond to potential attacks.
Actualice Argocd Image Updater a la versión 2.5.4 o superior. Esta versión corrige la validación insuficiente de los espacios de nombres, previniendo la escalada de privilegios entre espacios de nombres y asegurando la integridad de las aplicaciones.
Vulnerability analysis and critical alerts directly to your inbox.
ArgoCD Image Updater is a tool that automates the updating of container images in applications managed by ArgoCD.
Version 2.5.4 fixes the CVE-2026-6388 vulnerability, which allows for cross-namespace privilege escalation.
Implement strict access controls and monitor ArgoCD logs for suspicious activity.
Check the version of ArgoCD Image Updater you are using. If it is prior to 2.5.4, it is vulnerable.
As of now, no negative functional impacts have been reported after upgrading to version 2.5.4.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.