CVE-2025-13888: A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated perm...

Description

A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in other namespaces, including privileged namespaces. An authenticated attacker can then use these elevated permissions to create privileged workloads that run on master nodes, effectively giving them root access to the entire cluster.

Metrics

CVSS 3.1

9.1/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Probability

0.63%

45.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-266

References

Timeline

Published: Dec 15, 2025
Last Modified: Jun 17, 2026
Status: Deferred

Frequently Asked Questions

What is CVE-2025-13888?

A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in other namespaces, including privileged namespaces. An authenticated attacker can then use these elevated permissions to create privileged workloads that run on master nodes, effectively giving them root access to the entire cluster.

How severe is CVE-2025-13888?

CVE-2025-13888 has a CVSS score of 9.1/10 (CRITICAL severity). The EPSS model estimates a 0.63% probability of exploitation in the next 30 days.

How do I fix CVE-2025-13888?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.