CVE-2025-13888CRITICAL 9.1EPSS p45.4%

CVE-2025-13888CVE-2025-13888

Description

A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in other namespaces, including privileged namespaces. An authenticated attacker can then use these elevated permissions to create privileged workloads that run on master nodes, effectively giving them root access to the entire cluster.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS0.63% probability of exploitation · percentile 45.4% · 2026-06-18T12:00:27Z
Published2025-12-15
Last modified2026-04-15

Underlying weaknesses· 1

CWE-266

References

  1. https://access.redhat.com/errata/RHSA-2025:23203
  2. https://access.redhat.com/errata/RHSA-2025:23206
  3. https://access.redhat.com/errata/RHSA-2025:23207
  4. https://access.redhat.com/errata/RHSA-2026:1017
  5. https://access.redhat.com/security/cve/CVE-2025-13888
  6. https://bugzilla.redhat.com/show_bug.cgi?id=2418361
  7. https://github.com/redhat-developer/gitops-operator/commit/bc6ac3e03d7c8b3db5d8f1770c868396a4c2dcef
  8. https://github.com/redhat-developer/gitops-operator/pull/897

1

TypeTargetConfidenceTier
WeaknessIncorrect Privilege Assignmentcwe-2660%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-10725
CVE
CVE-2026-6388
CVE
CVE-2026-10843
CVE
CVE-2025-32445
CVE
CVE-2025-55190
CVE
CVE-2025-3528
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.