- Issued:
- 2026-01-22
- Updated:
- 2026-01-23
RHSA-2026:1017 - Important: Red Hat OpenShift GitOps v1.18.3 security update
Synopsis
Important: Red Hat OpenShift GitOps v1.18.3 security update
Type/Severity
Security Advisory Important
Topic
Important: Red Hat OpenShift GitOps v1.18.3 security update
Description
An update is now available for Red Hat OpenShift GitOps. Bug Fix(es) and Enhancement(s):
- GITOPS-8239 (CVE-2025-47913 openshift-gitops-1/gitops-rhel8: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS [gitops-1.18])
- GITOPS-8079 (CVE-2025-58183 openshift-gitops-1/argocd-rhel8: Unbounded allocation when parsing GNU sparse map [gitops-1.18])
- GITOPS-8082 (CVE-2025-58183 openshift-gitops-1/dex-rhel8: Unbounded allocation when parsing GNU sparse map [gitops-1.18])
- GITOPS-8522 (CVE-2025-68156 openshift-gitops-1/argocd-rhel8: Expr: Denial of Service via uncontrolled recursion in expression evaluation [gitops-1.18])
- GITOPS-8523 (CVE-2025-68156 openshift-gitops-1/argocd-rhel9: Expr: Denial of Service via uncontrolled recursion in expression evaluation [gitops-1.18])
- GITOPS-7849 (Cherry pick Repo Type Fix to Argo CD 3.1 stream)
- GITOPS-7992 (openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition)
- GITOPS-8225 (RC 1.19.0-2 : haproxy replica remains 1 with HA upgrade)
- GITOPS-8249 (Prevent argoCD from automatically refreshing to gitops repository )
- GITOPS-8411 (CVE-2025-55190 still blocking due to github.com/argoproj/argo-cd/v2@v2.14.11 in gitops-rhel8:v1.18.1)
- GITOPS-8535 (Show All Namespaces or Current Namespace Only option)
- GITOPS-8591 (Reciving TargetDown after upgrading GitOps )
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat OpenShift GitOps | 1.18 | x86_64 |
Fixes
(none)
CVEs
(none)
References
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.