CVE-2026-15416 (GCVE-0-2026-15416)

Vulnerability from cvelistv5 – Published: 2026-07-14 08:56 – Updated: 2026-07-15 14:39
VLAI
Title
Argo-cd: argo cd unauthenticated remote code execution in repo-server via generatemanifest grpc endpoint
Summary
A flaw was identified in Argo CD, the GitOps engine used by Red Hat OpenShift GitOps, that could allow an unauthenticated attacker with network access to the Argo CD repo-server to achieve remote code execution. Under certain conditions, the attacker may then manipulate cached data to deploy malicious Kubernetes resources to managed clusters, potentially resulting in complete cluster compromise.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-306 - Missing Authentication for Critical Function
Assigner
Impacted products
Vendor Product Version
argoproj argo-helm Affected: 0 , < 10.0.0 (semver)
Create a notification for this product.
Red Hat Red Hat Openshift Data Foundation 4     cpe:/a:redhat:openshift_data_foundation:4
Create a notification for this product.
Red Hat Red Hat OpenShift GitOps     cpe:/a:redhat:openshift_gitops:1
Create a notification for this product.
Date Public
2026-07-01 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15416",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-15T14:39:38.453802Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T14:39:52.411Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/argoproj/argo-helm",
          "defaultStatus": "unaffected",
          "packageName": "argo-helm",
          "product": "argo-helm",
          "vendor": "argoproj",
          "versions": [
            {
              "lessThan": "10.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_data_foundation:4"
          ],
          "defaultStatus": "unaffected",
          "packageName": "odf4/odf-multicluster-rhel9-operator",
          "product": "Red Hat Openshift Data Foundation 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_gitops:1"
          ],
          "defaultStatus": "unknown",
          "packageName": "openshift-gitops-1/argocd-agent-rhel8",
          "product": "Red Hat OpenShift GitOps",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_gitops:1"
          ],
          "defaultStatus": "unaffected",
          "packageName": "openshift-gitops-1/argocd-agent-rhel9",
          "product": "Red Hat OpenShift GitOps",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_gitops:1"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-gitops-1/argocd-image-updater-rhel8",
          "product": "Red Hat OpenShift GitOps",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_gitops:1"
          ],
          "defaultStatus": "unaffected",
          "packageName": "openshift-gitops-1/argocd-image-updater-rhel9",
          "product": "Red Hat OpenShift GitOps",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_gitops:1"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-gitops-1/argocd-rhel8",
          "product": "Red Hat OpenShift GitOps",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_gitops:1"
          ],
          "defaultStatus": "unknown",
          "packageName": "openshift-gitops-1/argocd-rhel9",
          "product": "Red Hat OpenShift GitOps",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_gitops:1"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-gitops-1/gitops-operator-bundle",
          "product": "Red Hat OpenShift GitOps",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_gitops:1"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-gitops-1/gitops-rhel8",
          "product": "Red Hat OpenShift GitOps",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_gitops:1"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-gitops-1/gitops-rhel8-operator",
          "product": "Red Hat OpenShift GitOps",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_gitops:1"
          ],
          "defaultStatus": "unaffected",
          "packageName": "openshift-gitops-1/gitops-rhel9",
          "product": "Red Hat OpenShift GitOps",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_gitops:1"
          ],
          "defaultStatus": "unaffected",
          "packageName": "openshift-gitops-1/gitops-rhel9-operator",
          "product": "Red Hat OpenShift GitOps",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2026-07-01T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was identified in Argo CD, the GitOps engine used by Red Hat OpenShift GitOps, that could allow an unauthenticated attacker with network access to the Argo CD repo-server to achieve remote code execution. Under certain conditions, the attacker may then manipulate cached data to deploy malicious Kubernetes resources to managed clusters, potentially resulting in complete cluster compromise."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.9,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-14T13:46:03.711Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-15416"
        },
        {
          "name": "RHBZ#2496732",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2496732"
        },
        {
          "url": "https://github.com/argoproj/argo-helm/commit/0f245ab"
        },
        {
          "url": "https://github.com/argoproj/argo-helm/security/advisories/GHSA-47m3-95c7-g2g8"
        },
        {
          "url": "https://thehackernews.com/2026/07/unpatched-argo-cd-repo-server-flaw.html"
        },
        {
          "url": "https://www.synacktiv.com/en/publications/caught-in-the-octopus-trap-unauthenticated-rce-in-argo-cd-with-codeql"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-03T00:00:00.000Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-07-01T00:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Argo-cd: argo cd unauthenticated remote code execution in repo-server via generatemanifest grpc endpoint",
      "workarounds": [
        {
          "lang": "en",
          "value": "Limit network access to the Argo CD repo-server gRPC endpoint to trusted internal components using Kubernetes NetworkPolicy or equivalent network access controls. Do not expose the repo-server outside the cluster or to untrusted networks. Restrict access to the associated Redis service and update to a fixed version once one becomes available."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-306: Missing Authentication for Critical Function"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-15416",
    "datePublished": "2026-07-14T08:56:29.942Z",
    "dateReserved": "2026-07-10T14:49:39.682Z",
    "dateUpdated": "2026-07-15T14:39:52.411Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-15416",
      "date": "2026-07-15",
      "epss": "0.00281",
      "percentile": "0.20023"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-15416\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2026-07-14T09:16:40.590\",\"lastModified\":\"2026-07-15T15:16:28.067\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was identified in Argo CD, the GitOps engine used by Red Hat OpenShift GitOps, that could allow an unauthenticated attacker with network access to the Argo CD repo-server to achieve remote code execution. Under certain conditions, the attacker may then manipulate cached data to deploy malicious Kubernetes resources to managed clusters, potentially resulting in complete cluster compromise.\"}],\"affected\":[{\"source\":\"secalert@redhat.com\",\"affectedData\":[{\"vendor\":\"argoproj\",\"product\":\"argo-helm\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://github.com/argoproj/argo-helm\",\"packageName\":\"argo-helm\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"10.0.0\",\"versionType\":\"semver\",\"status\":\"affected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Openshift Data Foundation 4\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"odf4/odf-multicluster-rhel9-operator\",\"cpes\":[\"cpe:/a:redhat:openshift_data_foundation:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift GitOps\",\"defaultStatus\":\"unknown\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-gitops-1/argocd-agent-rhel8\",\"cpes\":[\"cpe:/a:redhat:openshift_gitops:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift GitOps\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-gitops-1/argocd-agent-rhel9\",\"cpes\":[\"cpe:/a:redhat:openshift_gitops:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift GitOps\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-gitops-1/argocd-image-updater-rhel8\",\"cpes\":[\"cpe:/a:redhat:openshift_gitops:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift GitOps\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-gitops-1/argocd-image-updater-rhel9\",\"cpes\":[\"cpe:/a:redhat:openshift_gitops:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift GitOps\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-gitops-1/argocd-rhel8\",\"cpes\":[\"cpe:/a:redhat:openshift_gitops:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift GitOps\",\"defaultStatus\":\"unknown\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-gitops-1/argocd-rhel9\",\"cpes\":[\"cpe:/a:redhat:openshift_gitops:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift GitOps\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-gitops-1/gitops-operator-bundle\",\"cpes\":[\"cpe:/a:redhat:openshift_gitops:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift GitOps\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-gitops-1/gitops-rhel8\",\"cpes\":[\"cpe:/a:redhat:openshift_gitops:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift GitOps\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-gitops-1/gitops-rhel8-operator\",\"cpes\":[\"cpe:/a:redhat:openshift_gitops:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift GitOps\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-gitops-1/gitops-rhel9\",\"cpes\":[\"cpe:/a:redhat:openshift_gitops:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift GitOps\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-gitops-1/gitops-rhel9-operator\",\"cpes\":[\"cpe:/a:redhat:openshift_gitops:1\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L\",\"baseScore\":8.9,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-15T14:39:38.453802Z\",\"id\":\"CVE-2026-15416\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"references\":[{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-15416\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2496732\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/argoproj/argo-helm/commit/0f245ab\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/argoproj/argo-helm/security/advisories/GHSA-47m3-95c7-g2g8\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://thehackernews.com/2026/07/unpatched-argo-cd-repo-server-flaw.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://www.synacktiv.com/en/publications/caught-in-the-octopus-trap-unauthenticated-rce-in-argo-cd-with-codeql\",\"source\":\"secalert@redhat.com\"}]}}",
    "redhat_vex": {
      "aggregate_severity": "Important",
      "current_release_date": "2026-07-14T14:00:52+00:00",
      "cve": "CVE-2026-15416",
      "id": "CVE-2026-15416",
      "initial_release_date": "2026-07-01T00:00:00+00:00",
      "product_status:known_affected": "7",
      "product_status:known_not_affected": "5",
      "source": "Red Hat CSAF VEX",
      "status": "final",
      "title": "argo-cd: Argo CD unauthenticated remote code execution in repo-server via GenerateManifest gRPC endpoint",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-15416.json",
      "version": "3"
    },
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Argo-cd: argo cd unauthenticated remote code execution in repo-server via generatemanifest grpc endpoint\", \"metrics\": [{\"other\": {\"content\": {\"value\": \"Important\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}, \"type\": \"Red Hat severity rating\"}}, {\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"ADJACENT_NETWORK\", \"availabilityImpact\": \"LOW\", \"baseScore\": 8.9, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"scope\": \"CHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L\", \"version\": \"3.1\"}, \"format\": \"CVSS\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was identified in Argo CD, the GitOps engine used by Red Hat OpenShift GitOps, that could allow an unauthenticated attacker with network access to the Argo CD repo-server to achieve remote code execution. Under certain conditions, the attacker may then manipulate cached data to deploy malicious Kubernetes resources to managed clusters, potentially resulting in complete cluster compromise.\"}], \"affected\": [{\"vendor\": \"argoproj\", \"product\": \"argo-helm\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"10.0.0\", \"versionType\": \"semver\"}], \"packageName\": \"argo-helm\", \"collectionURL\": \"https://github.com/argoproj/argo-helm\", \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Red Hat\", \"product\": \"Red Hat Openshift Data Foundation 4\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"packageName\": \"odf4/odf-multicluster-rhel9-operator\", \"defaultStatus\": \"unaffected\", \"cpes\": [\"cpe:/a:redhat:openshift_data_foundation:4\"]}, {\"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift GitOps\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"packageName\": \"openshift-gitops-1/argocd-agent-rhel8\", \"defaultStatus\": \"unknown\", \"cpes\": [\"cpe:/a:redhat:openshift_gitops:1\"]}, {\"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift GitOps\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"packageName\": \"openshift-gitops-1/argocd-agent-rhel9\", \"defaultStatus\": \"unaffected\", \"cpes\": [\"cpe:/a:redhat:openshift_gitops:1\"]}, {\"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift GitOps\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"packageName\": \"openshift-gitops-1/argocd-image-updater-rhel8\", \"defaultStatus\": \"affected\", \"cpes\": [\"cpe:/a:redhat:openshift_gitops:1\"]}, {\"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift GitOps\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"packageName\": \"openshift-gitops-1/argocd-image-updater-rhel9\", \"defaultStatus\": \"unaffected\", \"cpes\": [\"cpe:/a:redhat:openshift_gitops:1\"]}, {\"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift GitOps\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"packageName\": \"openshift-gitops-1/argocd-rhel8\", \"defaultStatus\": \"affected\", \"cpes\": [\"cpe:/a:redhat:openshift_gitops:1\"]}, {\"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift GitOps\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"packageName\": \"openshift-gitops-1/argocd-rhel9\", \"defaultStatus\": \"unknown\", \"cpes\": [\"cpe:/a:redhat:openshift_gitops:1\"]}, {\"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift GitOps\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"packageName\": \"openshift-gitops-1/gitops-operator-bundle\", \"defaultStatus\": \"affected\", \"cpes\": [\"cpe:/a:redhat:openshift_gitops:1\"]}, {\"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift GitOps\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"packageName\": \"openshift-gitops-1/gitops-rhel8\", \"defaultStatus\": \"affected\", \"cpes\": [\"cpe:/a:redhat:openshift_gitops:1\"]}, {\"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift GitOps\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"packageName\": \"openshift-gitops-1/gitops-rhel8-operator\", \"defaultStatus\": \"affected\", \"cpes\": [\"cpe:/a:redhat:openshift_gitops:1\"]}, {\"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift GitOps\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"packageName\": \"openshift-gitops-1/gitops-rhel9\", \"defaultStatus\": \"unaffected\", \"cpes\": [\"cpe:/a:redhat:openshift_gitops:1\"]}, {\"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift GitOps\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"packageName\": \"openshift-gitops-1/gitops-rhel9-operator\", \"defaultStatus\": \"unaffected\", \"cpes\": [\"cpe:/a:redhat:openshift_gitops:1\"]}], \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2026-15416\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2496732\", \"name\": \"RHBZ#2496732\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://github.com/argoproj/argo-helm/commit/0f245ab\"}, {\"url\": \"https://github.com/argoproj/argo-helm/security/advisories/GHSA-47m3-95c7-g2g8\"}, {\"url\": \"https://thehackernews.com/2026/07/unpatched-argo-cd-repo-server-flaw.html\"}, {\"url\": \"https://www.synacktiv.com/en/publications/caught-in-the-octopus-trap-unauthenticated-rce-in-argo-cd-with-codeql\"}], \"datePublic\": \"2026-07-01T00:00:00.000Z\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-306\", \"description\": \"Missing Authentication for Critical Function\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"x_redhatCweChain\": \"CWE-306: Missing Authentication for Critical Function\", \"workarounds\": [{\"lang\": \"en\", \"value\": \"Limit network access to the Argo CD repo-server gRPC endpoint to trusted internal components using Kubernetes NetworkPolicy or equivalent network access controls. Do not expose the repo-server outside the cluster or to untrusted networks. Restrict access to the associated Redis service and update to a fixed version once one becomes available.\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-07-03T00:00:00.000Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2026-07-01T00:00:00.000Z\", \"value\": \"Made public.\"}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2026-07-14T13:46:03.711Z\"}, \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-15416\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-15T14:39:38.453802Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-15T14:08:40.669Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-15416\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"redhat\", \"dateReserved\": \"2026-07-10T14:49:39.682Z\", \"datePublished\": \"2026-07-14T08:56:29.942Z\", \"dateUpdated\": \"2026-07-15T14:39:52.411Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…