Cyber Resilience

CVE-2026-6388

CriticalUpdated

Published: 15 April 2026

Published
15 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
EPSS Score 0.0031 23.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-6388 is a critical-severity Insufficient Granularity of Access Control (CWE-1220) vulnerability in Redhat (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 23.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-6388 is a critical vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L) in ArgoCD Image Updater, published on 2026-04-15T22:17:22.583 and associated with CWE-1220. The flaw arises from insufficient validation in the ImageUpdater resource, enabling attackers to bypass namespace boundaries in multi-tenant Kubernetes environments. This affects deployments relying on ArgoCD Image Updater for automated image updates in GitOps workflows.

An attacker with low-privilege access—specifically, permissions to create or modify an ImageUpdater resource within their own namespace—can exploit this issue remotely with low complexity and no user interaction. Successful exploitation allows triggering unauthorized image updates on applications managed by other tenants, resulting in cross-namespace privilege escalation. This compromises application integrity by enabling malicious image deployments across boundaries.

Mitigation details are available in the referenced advisories, including the Red Hat security bulletin at https://access.redhat.com/security/cve/CVE-2026-6388 and the Bugzilla tracker at https://bugzilla.redhat.com/show_bug.cgi?id=2458766, which outline patches and workarounds for affected ArgoCD Image Updater versions.

EU & UK References

Vulnerability details

A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image…

more

updates on applications managed by other tenants. This leads to cross-namespace privilege escalation, impacting application integrity through unauthorized application updates.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Vulnerability directly enables cross-namespace privilege escalation via insufficient validation of ImageUpdater resources, allowing low-priv attackers to trigger unauthorized image updates on other tenants' applications in multi-tenant Kubernetes.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33825Shared CWE-1220
CVE-2025-7493Shared CWE-1220
CVE-2024-53295Shared CWE-1220
CVE-2026-6356Shared CWE-1220
CVE-2026-35436Shared CWE-1220
CVE-2023-31343Shared CWE-1220
CVE-2026-40365Shared CWE-1220
CVE-2023-31342Shared CWE-1220
CVE-2024-13256Shared CWE-1220
CVE-2025-20111Shared CWE-1220

Affected Assets

Redhat
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the insufficient validation flaw in ImageUpdater resources that enables namespace boundary bypass and unauthorized cross-tenant image updates.

prevent

Enforces approved authorizations for information flows to prevent attackers from triggering image updates across namespace boundaries in multi-tenant environments.

prevent

Mandates enforcement of access controls to block unauthorized privilege escalation and application updates initiated from low-privilege ImageUpdater modifications.

References