CVE-2026-14251 PUBLISHED

Gitops-operator: gitops-operator: missing allowednamespace check in reconcilerhook for clusterrole/role cases enables potential privilege escalation and dos

Assigner: redhat
Reserved: 30.06.2026 Published: 15.07.2026 Updated: 15.07.2026

A flaw was found in the OpenShift GitOps operator. The ClusterRole reconciler does not validate resource ownership when reconciling ClusterRole objects. A namespace-scoped Argo CD instance can trigger deletion of a ClusterRole owned by a cluster-scoped Argo CD instance by crafting a name collision, resulting in a denial of service.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CVSS Score: 7.7

Product Status

Vendor Red Hat
Product Red Hat OpenShift GitOps
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift GitOps
Versions Default: affected

Credits

  • Red Hat would like to thank Nebojša Jaćović for reporting this issue.

References

Problem Types

  • Missing Authorization CWE