2418361 – (CVE-2025-13888) CVE-2025-13888 openshift-gitops-operator: OpenShift GitOps: Namespace Admin Cluster Takeover via Privileged Jobs

Bug 2418361 (CVE-2025-13888) - CVE-2025-13888 openshift-gitops-operator: OpenShift GitOps: Namespace Admin Cluster Takeover via Privileged Jobs

Summary: CVE-2025-13888 openshift-gitops-operator: OpenShift GitOps: Namespace Admin C...

Keywords:
Status:	NEW
Alias:	CVE-2025-13888
Deadline:	2025-12-15
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-02 15:17 UTC by OSIDB Bzimport
Modified:	2025-12-15 15:13 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-02 15:17:49 UTC

Security issue with OpenShift GitOps that basically allows namespace admins to overtake the whole cluster.
If you can create ArgoCD CRs, you basically can overtake the whole cluster.  This permission is currently granted to all namespace admins, created with a RoleBinding that binds the ClusterRole admin.

This is how you can achieve it:

When you create a ArgoCD CR in your own namespace (where you are namespace admin) you can specify sourceNamespaces under spec. You can provide whatever namespace you want here (even tho the operator checks wheter the target namespace already has the label). For example, I could specify the namespace default here. Due to the check of the operator, this is only possible for namespaces where this label is not set yet.

When I do create the ArgoCD CR the operator will annotate the specified sourceNamespaces with the label:
argocd.argoproj.io/managed-by-cluster-argocd: test-1

In this case test-1 is the name of my namespace where I am namespace admin. For this example I used the default namespace as my sourceNamespace.

Additionally the Operator will create a RoleBinding  and a Role within the namespace (in this example the default namespace). The Role allows the managing of ArgoCD Resources but also creation and updating of CronJobs and Jobs. The Rolebinding binds the Role to the ServiceAccounts that are used by my ArgoCD  (argocd-server and argocd-application-controller) instance where I have access to.

So now I have access to two ServiceAccounts and their token which are able to create Jobs / Cronjobs in my defined sourceNamespace.

In my example I used the default namespace. The default namespace has the privileged SCC so I am able to run privileged Jobs.

Now I can extract the token of the SericeAccounts that are used by my ArgoCD instance and use it to create a privileged Job in the default namespace. The job can even run on Master nodes so basically, I have root access to the master nodes and can fully overtake the cluster without a problem.

This seems to be a security issue from my point of view because all it needs is a namespace admin to overtake the whole cluster.

Note You need to log in before you can comment on or make changes to this bug.