- Issued:
- 2026-01-22
- Updated:
- 2026-01-23
RHSA-2026:1017 - Security Advisory
Synopsis
Important: Red Hat OpenShift GitOps v1.18.3 security update
Type/Severity
Security Advisory: Important
Topic
Important: Red Hat OpenShift GitOps v1.18.3 security update
Description
An update is now available for Red Hat OpenShift GitOps.
Bug Fix(es) and Enhancement(s):
- GITOPS-8239 (CVE-2025-47913 openshift-gitops-1/gitops-rhel8: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS [gitops-1.18])
- GITOPS-8079 (CVE-2025-58183 openshift-gitops-1/argocd-rhel8: Unbounded allocation when parsing GNU sparse map [gitops-1.18])
- GITOPS-8082 (CVE-2025-58183 openshift-gitops-1/dex-rhel8: Unbounded allocation when parsing GNU sparse map [gitops-1.18])
- GITOPS-8522 (CVE-2025-68156 openshift-gitops-1/argocd-rhel8: Expr: Denial of Service via uncontrolled recursion in expression evaluation [gitops-1.18])
- GITOPS-8523 (CVE-2025-68156 openshift-gitops-1/argocd-rhel9: Expr: Denial of Service via uncontrolled recursion in expression evaluation [gitops-1.18])
- GITOPS-7849 (Cherry pick Repo Type Fix to Argo CD 3.1 stream)
- GITOPS-7992 (openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition)
- GITOPS-8225 (RC 1.19.0-2 : haproxy replica remains 1 with HA upgrade)
- GITOPS-8249 (Prevent argoCD from automatically refreshing to gitops repository )
- GITOPS-8411 (CVE-2025-55190 still blocking due to github.com/argoproj/argo-cd/v2@v2.14.11 in gitops-rhel8:v1.18.1)
- GITOPS-8535 (Show All Namespaces or Current Namespace Only option)
- GITOPS-8591 (Reciving TargetDown after upgrading GitOps )
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
Fixes
- GITOPS-7849 - Cherry pick Repo Type Fix to Argo CD 3.1 stream
- GITOPS-7992 - openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition
- GITOPS-8225 - RC 1.19.0-2 : haproxy replica remains 1 with HA upgrade
- GITOPS-8249 - Prevent argoCD from automatically refreshing to gitops repository
- GITOPS-8411 - CVE-2025-55190 still blocking due to github.com/argoproj/argo-cd/v2@v2.14.11 in gitops-rhel8:v1.18.1
- GITOPS-8591 - Reciving TargetDown after upgrading GitOps
amd64
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:ddc27dbea59c611ffb5394114a6c754397cc0032ba3487a3f03041ed34cfce30 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:1438757fd131c12d8ae3a1edb5757bc63114b882d00563be2857917611008418 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:32ae33eb3d84b30020cb6732e5c84f76cbd2de6abdd7b42e72be887015c49d35 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:8286093133d109fe0d852491fda66c66d893527f3364c587b6d09823088bcba6 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:779c33c3679e47ebca0af343ba6e26d2723cfc9affdcee4df54078ef68278016 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:ae7a2d5c703f6caa7d4facffe3c141bed9739b88967f5a832cf9005b2f815561 |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:ed37ac2ef10a9107672556fe62e19020d470745a0ec04378ed840949c49a6234 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:1cbde70be8f1035b0f45b02e0663c28aa444ea5bc2c8bca580ff164dcfff4196 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:3cde1fe9926ec2d6d7618cee7a053b1f66c8ebe1a5f6d9e097914b3d3d6f8ca1 |
| registry.redhat.io/openshift-gitops-1/gitops-operator-bundle@sha256:a4e9887db8647c4e958df4725f08340a9c6a462cd18fd2bf9c9f1fc939649740 |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:4bb1a9bd246dac5d17ea6bb1556d7ebb87e794369f75913d3d197d2c55a48015 |
arm64
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:d529b4bbae3cfcf25ea91a29d3c9eb701ef6a3a54e6e0c0117c649f3e4dbe2dc |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:0eb572fc96ae2e1973ce43515f03121965600bb09ef0b995eb467f5965c2246c |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:1ac33bdd539b1bf2033e27f3127badf1afd2d5fdeef9fd51f00feeffdd936f32 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:571c6d9d4e84c6fcd278e13f15e71b527b618ac7d98c477c516d91e0097ba40c |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:0f883371ffee9d87547a4dc9524a35c5e6cce840a722bf3a01b1be3c1396fdb1 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:6f16630ff37a5e18b5f8eee782edd6ada351a60b41fdab1bbfda27ebb297135a |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:a0236e0cf364d15553a77f0c12f8f8c0bb12ebf2c49c43c68da4f3f28b93e781 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:7fbb7d98b130e1dc6c9f5f440244a05bff22e34ab70f5e57e45d4b70e4e3f8da |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:10aa721d5a3c55fad979603898fa3b5d504c4911559b8615edfce9a5d0653ff0 |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:54a92917be83722915ce05181652988342015eeb3e54fa3b4dd226d6fd493ccd |
ppc64le
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:f87ac5bb84230c4c34f5404adbc45347a295fb1e60095c2e4ad1e0ea126382b5 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:f8d8f51bd4aeba9dcfd4edad0720410d289ac0e7a2642c90128d506d69d42c77 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:a621f4cfd83907d57317ce941f470ba4b0fb5d599aab38db936e591dde426404 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:0330e4aab6eb9d7c54417d2a6c5aaf959319eb1c811ab91085570295dc19b258 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:88d55cc7ec87db114cc60c9c7a67e9c6a69aae69c30a6c076bd94f239a84498c |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:b6c961fab1178fcc25126ac214d0a7e15bf5738291e2e16c4e05ec320e54fcca |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:ab7de39ebdcc363fe61d919ebf430d6e533ddc108075c19f9c9e6d71938bfd6e |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:853107e7329e189ded3fc5ca657366e27010f468b1be813264efd9e2cf90c906 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:43ba408b8ed58259bf338fd29260d936fbde9846f772d0580b3e7486ef8ea300 |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:376ef09554debe6042424f2b4464922cf1aeb14d801fea5c81900d24ce028a39 |
s390x
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:58b596569b8de68d7474d949fd30d9a1666f1f08ea81e8264b9132263b61377b |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:a333f6b8ae405b22c746a02bd38a125753a347e7e2c352ec690fa97388b3a40b |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:a6141b3b5508dc9690ae15ebc3efd33a3fc71382a7dd449a954ffe181f8cd138 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:259bb75abc6b464d9badf8b110ab239232152010ada0c407241fab47ecbbae6e |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:6e8d1e3c7bee9c2c2bee357af24bae34510fe6b87075b98f5be34e41dd70d152 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:bca47a6bb7edb70b24927ea02484c91bc4ce35cc8ebb24f5d68cb28193e77fda |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:792cbe51a6e0f80d9a97b5a6a538a36f756467624144ad3af2c2da53f85db68c |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:1992f4b3414b6955295827e06e8e5e635f754eb3e0b52ca181e80add613d1ba4 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:e73fa4b644e17e520cc9836d4b235a5ae02e10a6a21addc2ae959832d4e08143 |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:de7cde72fcb72eccc9f5ea89eed7094e4c976c3e331c48ef450339323a326da1 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
