CVE-2026-6388
Cross-Namespace Privilege Escalation in ArgoCD Image Updater
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| argocd_image_updater | argocd_image_updater | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1220 | The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can impact you by allowing unauthorized updates to applications managed by other tenants in a multi-tenant environment.
This leads to cross-namespace privilege escalation, compromising application integrity.
As a result, attackers could potentially introduce malicious changes or disrupt application functionality.
Can you explain this vulnerability to me?
This vulnerability exists in ArgoCD Image Updater and allows an attacker who has permissions to create or modify an ImageUpdater resource in a multi-tenant environment to bypass namespace boundaries.
By exploiting insufficient validation, the attacker can cause unauthorized image updates on applications managed by other tenants.
This results in cross-namespace privilege escalation, meaning the attacker can affect applications outside their own namespace.