Issued:

2026-03-05

Updated:

2026-03-05

RHSA-2026:3884 - Important: Red Hat OpenShift GitOps v1.19.2 security update

Synopsis

Important: Red Hat OpenShift GitOps v1.19.2 security update

Type/Severity

Security Advisory Important

Topic

Important: Red Hat OpenShift GitOps v1.19.2 security update

Description

An update is now available for Red Hat OpenShift GitOps. Bug Fix(es) and Enhancement(s):

• GITOPS-8874 (CVE-2025-13465 openshift-gitops-1/console-plugin-rhel8: prototype pollution in _.unset and _.omit functions [gitops-1.19])
• GITOPS-8993 (CVE-2025-61726 openshift-gitops-1/argo-rollouts-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.19])
• GITOPS-8994 (CVE-2025-61726 openshift-gitops-1/argocd-agent-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.19])
• GITOPS-8995 (CVE-2025-61726 openshift-gitops-1/argocd-image-updater-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.19])
• GITOPS-8996 (CVE-2025-61726 openshift-gitops-1/argocd-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.19])
• GITOPS-8997 (CVE-2025-61726 openshift-gitops-1/argocd-rhel9: Memory exhaustion in query parameter parsing in net/url [gitops-1.19])
• GITOPS-8998 (CVE-2025-61726 openshift-gitops-1/dex-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.19])
• GITOPS-8999 (CVE-2025-61726 openshift-gitops-1/gitops-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.19])
• GITOPS-8949 (CVE-2025-61728 openshift-gitops-1/argocd-image-updater-rhel8: Excessive CPU consumption when building archive index in archive/zip [gitops-1.19])
• GITOPS-9017 (CVE-2025-61729 openshift-gitops-1/dex-rhel8: golang: Denial of Service due to excessive resource consumption via crafted certificate [gitops-1.19])
• GITOPS-9064 (CVE-2025-68121 openshift-gitops-1/dex-rhel8: Unexpected session resumption in crypto/tls [gitops-1.19])
• GITOPS-8685 (CVE-2026-21441 openshift-gitops-1/console-plugin-rhel8: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API) [gitops-1.19])
• GITOPS-8773 (Console plugin Applications page is broken with cannot read properties of undefined JS error)
• GITOPS-8922 (ApplicationSet cluster scoped roles missing permissions)
• GITOPS-9060 (Restrict ImageUpdater Scope to Local Namespace - z-stream)

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Fixes

(none)

CVEs

(none)

References

• https://access.redhat.com/security/cve/CVE-2025-13465

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.