Home

Description

A flaw was identified in Argo CD, the GitOps engine used by Red Hat OpenShift GitOps, that could allow an unauthenticated attacker with network access to the Argo CD repo-server to achieve remote code execution. Under certain conditions, the attacker may then manipulate cached data to deploy malicious Kubernetes resources to managed clusters, potentially resulting in complete cluster compromise.

PUBLISHED Reserved 2026-07-10 | Published 2026-07-14 | Updated 2026-07-14 | Assigner redhat




HIGH: 8.9CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Problem types

Missing Authentication for Critical Function

Product status

Default status
unaffected

Any version before 10.0.0
affected

Default status
unaffected

Default status
unknown

Default status
unaffected

Default status
affected

Default status
unaffected

Default status
affected

Default status
unknown

Default status
affected

Default status
affected

Default status
affected

Default status
unaffected

Default status
unaffected

Timeline

2026-07-03:Reported to Red Hat.
2026-07-01:Made public.

References

access.redhat.com/security/cve/CVE-2026-15416 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2496732 (RHBZ#2496732) issue-tracking

github.com/argoproj/argo-helm/commit/0f245ab

github.com/...o-helm/security/advisories/GHSA-47m3-95c7-g2g8

thehackernews.com/...unpatched-argo-cd-repo-server-flaw.html

www.synacktiv.com/...uthenticated-rce-in-argo-cd-with-codeql

cve.org (CVE-2026-15416)

nvd.nist.gov (CVE-2026-15416)

Download JSON