CVE-2026-6388 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: April 15, 2026
ArgoCD Image Updater - Broken Access Control
Published: April 15, 2026Updated: April 15, 2026Remote Exploitable
Overview
ArgoCD Image Updater contains a broken access control vulnerability caused by insufficient validation of ImageUpdater resource permissions in multi-tenant environments, letting attackers bypass namespace boundaries and trigger unauthorized image updates, exploit requires permissions to create or modify ImageUpdater resources.
Severity & Score
Severity: Critical
CVSS Score: 9.1
Impact
Attackers can escalate privileges across namespaces, causing unauthorized application updates and compromising application integrity.
Mitigation
Update to the latest version with proper validation of ImageUpdater resource permissions.
References
Related Resources
Details
- CVE ID
- CVE-2026-6388
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- broken_access_control
- Status
- new
CWE
- CWE-1220
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L