CVE-2025-13888 Overview
A critical privilege escalation vulnerability was discovered in OpenShift GitOps that allows namespace administrators to bypass namespace isolation controls. By creating malicious ArgoCD Custom Resources (CRs), authenticated attackers can manipulate the system into granting elevated permissions across namespace boundaries, including access to privileged namespaces. This exploitation path ultimately enables the creation of privileged workloads on master nodes, resulting in root-level access to the entire Kubernetes cluster.
Critical Impact
Authenticated namespace administrators can escalate privileges to gain root access to the entire OpenShift cluster through malicious ArgoCD Custom Resource manipulation.
Affected Products
- OpenShift GitOps (versions prior to v1.16.2)
- Red Hat GitOps Operator
Discovery Timeline
- December 15, 2025 - CVE-2025-13888 published to NVD
- January 22, 2026 - Last updated in NVD database
Technical Details for CVE-2025-13888
Vulnerability Analysis
This vulnerability stems from an Improper Privilege Management flaw (CWE-266) in the OpenShift GitOps operator's namespace handling logic. The core issue resides in the ArgoCD metrics controller component, which improperly applied cluster-level monitoring labels to user-controlled namespaces without adequate namespace prefix validation.
The vulnerable code path allowed namespace administrators to leverage ArgoCD Custom Resources to inject cluster monitoring labels (openshift.io/cluster-monitoring) into namespaces that should only receive user-level monitoring labels. This label manipulation enables cross-namespace privilege escalation, as the cluster monitoring label grants access to privileged namespace contexts.
Once an attacker obtains elevated namespace permissions, they can schedule privileged workloads on master nodes. Pods running with elevated privileges on control plane nodes effectively have root access to the underlying infrastructure, enabling complete cluster compromise including access to secrets, modification of cluster configurations, and lateral movement to all workloads.
Root Cause
The vulnerability exists in the argocd_metrics_controller.go file where the controller failed to differentiate between cluster namespaces (prefixed with openshift-) and user namespaces when applying monitoring labels. The original implementation uniformly applied the openshift.io/cluster-monitoring label regardless of namespace context, allowing user namespaces to inherit cluster-level monitoring privileges.
Attack Vector
The attack requires network access and authenticated access as a namespace administrator. The attacker creates an ArgoCD Custom Resource that triggers the vulnerable metrics controller code path. When the controller processes this CR, it incorrectly applies cluster monitoring labels to the attacker-controlled namespace, elevating the attacker's permissions. The changed scope allows the attacker to escape their original namespace boundary and access privileged namespaces, ultimately enabling privileged pod creation on master nodes.
// Security patch in controllers/argocd_metrics_controller.go
// Source: https://github.com/redhat-developer/gitops-operator/commit/bc6ac3e03d7c8b3db5d8f1770c868396a4c2dcef
}
const clusterMonitoringLabel = "openshift.io/cluster-monitoring"
- labelVal, exists := namespace.Labels[clusterMonitoringLabel]
+ const userDefinedMonitoringLabel = "openshift.io/user-monitoring"
+ var labelVal, monitoringLabel string
+ var exists bool
+ if strings.HasPrefix(namespace.Name, "openshift-") {
+ labelVal, exists = namespace.Labels[clusterMonitoringLabel]
+ monitoringLabel = clusterMonitoringLabel
+ } else {
+ labelVal, exists = namespace.Labels[userDefinedMonitoringLabel]
+ monitoringLabel = userDefinedMonitoringLabel
+ }
if argocd.Spec.Monitoring.DisableMetrics == nil || !*argocd.Spec.Monitoring.DisableMetrics {
if !exists || labelVal != "true" {
if namespace.Labels == nil {
namespace.Labels = make(map[string]string)
}
- namespace.Labels[clusterMonitoringLabel] = "true"
+ namespace.Labels[monitoringLabel] = "true"
err = r.Client.Update(ctx, &namespace)
if err != nil {
reqLogger.Error(err, "Error updating namespace",
The patch introduces namespace prefix validation, ensuring only namespaces beginning with openshift- receive the cluster monitoring label, while user namespaces receive the openshift.io/user-monitoring label instead.
Detection Methods for CVE-2025-13888
Indicators of Compromise
- Unexpected openshift.io/cluster-monitoring=true labels on non-system namespaces (those not prefixed with openshift-)
- ArgoCD Custom Resources created in user namespaces with unusual monitoring configurations
- Privileged pods scheduled on master/control plane nodes originating from non-system namespaces
- Audit log entries showing namespace label modifications by ArgoCD service accounts
Detection Strategies
- Monitor Kubernetes audit logs for namespace label changes involving openshift.io/cluster-monitoring
- Implement admission controller policies to alert on cluster monitoring labels applied to user namespaces
- Review ArgoCD CR configurations for anomalous Spec.Monitoring settings
- Track privileged workload creation events, particularly those targeting master nodes
Monitoring Recommendations
- Enable verbose audit logging for namespace modification events and ArgoCD controller activities
- Configure alerts for any pods with privileged security contexts deployed to control plane nodes
- Implement namespace label monitoring using Open Policy Agent (OPA) or Kyverno policies
- Regularly review RBAC permissions granted to namespace administrators
How to Mitigate CVE-2025-13888
Immediate Actions Required
- Upgrade OpenShift GitOps Operator to version v1.16.2 or later immediately
- Audit all namespaces for unauthorized openshift.io/cluster-monitoring labels and remove them from non-system namespaces
- Review and restrict namespace administrator permissions where possible
- Inspect master/control plane nodes for any unauthorized privileged workloads
Patch Information
Red Hat has released security patches addressing this vulnerability. Refer to the following advisories for patched versions:
- Red Hat Security Advisory RHSA-2025:23203
- Red Hat Security Advisory RHSA-2025:23206
- Red Hat Security Advisory RHSA-2025:23207
- Red Hat Security Advisory RHSA-2026:1017
The fix is available in GitOps Operator v1.16.2. For technical details, see GitHub Pull Request #897.
Workarounds
- Implement admission controllers to block the openshift.io/cluster-monitoring label on non-system namespaces
- Restrict ArgoCD Custom Resource creation to trusted administrators only using RBAC
- Apply Pod Security Policies or Pod Security Standards to prevent privileged workloads on control plane nodes
- Consider temporarily disabling ArgoCD metrics collection until patching is complete by setting Spec.Monitoring.DisableMetrics: true
# Audit namespaces for unauthorized cluster monitoring labels
kubectl get namespaces -o json | jq -r '.items[] | select(.metadata.labels["openshift.io/cluster-monitoring"] == "true") | select(.metadata.name | startswith("openshift-") | not) | .metadata.name'
# Remove unauthorized labels from affected namespaces
kubectl label namespace <namespace-name> openshift.io/cluster-monitoring-
# Verify GitOps Operator version
kubectl get deployment gitops-operator-controller-manager -n openshift-gitops-operator -o jsonpath='{.spec.template.spec.containers[0].image}'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
