CVE Catalog

CVE-2026-6388

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

28th percentile — higher than 28% of all known CVEs

Summary

A flaw in ArgoCD Image Updater allows an attacker with permissions to create or modify an ImageUpdater resource in a multi-tenant environment to bypass namespace boundaries. Insufficient validation enables unauthorized image updates on applications managed by other tenants.

Risk Assessment

The risk is cross-namespace privilege escalation, compromising application integrity through unauthorized image updates, potentially allowing malicious code injection.

Recommendation

Immediately update ArgoCD Image Updater to the latest patched version and restrict permissions to create or modify ImageUpdater resources to trusted users only.

Original NVD description (English source)

A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates on applications managed by other tenants. This leads to cross-namespace privilege escalation, impacting application integrity through unauthorized application updates.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS