CVE-2026-6388
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk28th percentile — higher than 28% of all known CVEs
Summary
A flaw in ArgoCD Image Updater allows an attacker with permissions to create or modify an ImageUpdater resource in a multi-tenant environment to bypass namespace boundaries. Insufficient validation enables unauthorized image updates on applications managed by other tenants.
Risk Assessment
The risk is cross-namespace privilege escalation, compromising application integrity through unauthorized image updates, potentially allowing malicious code injection.
Recommendation
Immediately update ArgoCD Image Updater to the latest patched version and restrict permissions to create or modify ImageUpdater resources to trusted users only.
Original NVD description (English source)
A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates on applications managed by other tenants. This leads to cross-namespace privilege escalation, impacting application integrity through unauthorized application updates.

