Critical severity9.1OSV Advisory· Published Dec 15, 2025· Updated Apr 15, 2026

CVE-2025-13888

Description

A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in other namespaces, including privileged namespaces. An authenticated attacker can then use these elevated permissions to create privileged workloads that run on master nodes, effectively giving them root access to the entire cluster.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/redhat-developer/gitops-operatorGo	< 1.16.2	1.16.2

Affected products

Redhat Developer/Gitops OperatorOSV
Range: v0.0.2, v1.1.0, v1.11.0, …

Patches

bc6ac3e03d7c

fix CVE namespace-isolation break (#897)

https://github.com/redhat-developer/gitops-operatorAnand Kumar SinghMay 26, 2025via ghsa

commit PR #897

2 files changed · +22 −10

controllers/argocd_metrics_controller.go+12 −3 modified

@@ -109,14 +109,23 @@ func (r *ArgoCDMetricsReconciler) Reconcile(ctx context.Context, request reconci
 	}
 
 	const clusterMonitoringLabel = "openshift.io/cluster-monitoring"
-	labelVal, exists := namespace.Labels[clusterMonitoringLabel]
+	const userDefinedMonitoringLabel = "openshift.io/user-monitoring"
+	var labelVal, monitoringLabel string
+	var exists bool
+	if strings.HasPrefix(namespace.Name, "openshift-") {
+		labelVal, exists = namespace.Labels[clusterMonitoringLabel]
+		monitoringLabel = clusterMonitoringLabel
+	} else {
+		labelVal, exists = namespace.Labels[userDefinedMonitoringLabel]
+		monitoringLabel = userDefinedMonitoringLabel
+	}
 
 	if argocd.Spec.Monitoring.DisableMetrics == nil || !*argocd.Spec.Monitoring.DisableMetrics {
 		if !exists || labelVal != "true" {
 			if namespace.Labels == nil {
 				namespace.Labels = make(map[string]string)
 			}
-			namespace.Labels[clusterMonitoringLabel] = "true"
+			namespace.Labels[monitoringLabel] = "true"
 			err = r.Client.Update(ctx, &namespace)
 			if err != nil {
 				reqLogger.Error(err, "Error updating namespace",
@@ -178,7 +187,7 @@ func (r *ArgoCDMetricsReconciler) Reconcile(ctx context.Context, request reconci
 		}
 	} else {
 		if exists {
-			namespace.Labels[clusterMonitoringLabel] = "false"
+			namespace.Labels[monitoringLabel] = "false"
 			err = r.Client.Update(ctx, &namespace)
 			if err != nil {
 				reqLogger.Error(err, "Error updating namespace",

controllers/argocd_metrics_controller_test.go+10 −7 modified

@@ -81,16 +81,19 @@ func newMetricsReconciler(t *testing.T, namespace, name string, disableMetrics *
 
 func TestReconcile_add_namespace_label(t *testing.T) {
 	testCases := []struct {
-		instanceName string
-		namespace    string
+		instanceName  string
+		namespace     string
+		expectedLabel string
 	}{
 		{
-			instanceName: argoCDInstanceName,
-			namespace:    "openshift-gitops",
+			instanceName:  argoCDInstanceName,
+			namespace:     "openshift-gitops",
+			expectedLabel: "openshift.io/cluster-monitoring",
 		},
 		{
-			instanceName: "instance-two",
-			namespace:    "namespace-two",
+			instanceName:  "instance-two",
+			namespace:     "namespace-two",
+			expectedLabel: "openshift.io/user-monitoring",
 		},
 	}
 	for _, tc := range testCases {
@@ -101,7 +104,7 @@ func TestReconcile_add_namespace_label(t *testing.T) {
 		ns := corev1.Namespace{}
 		err = r.Client.Get(context.TODO(), types.NamespacedName{Name: tc.namespace}, &ns)
 		assert.NilError(t, err)
-		value := ns.Labels["openshift.io/cluster-monitoring"]
+		value := ns.Labels[tc.expectedLabel]
 		assert.Equal(t, value, "true")
 	}
 }

a4755e5fc5ea

https://github.com/redhat-developer/gitops-operatorvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.591
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000