- Issued:
- 2026-03-05
- Updated:
- 2026-03-05
RHSA-2026:3869 - Security Advisory
Synopsis
Important: Red Hat OpenShift GitOps v1.17.5 security update
Type/Severity
Security Advisory: Important
Topic
Important: Red Hat OpenShift GitOps v1.17.5 security update
Description
An update is now available for Red Hat OpenShift GitOps.
Bug Fix(es) and Enhancement(s):
- GITOPS-8438 (CVE-2025-12816 openshift-gitops-1/console-plugin-rhel8: node-forge: Interpretation conflict vulnerability allows bypassing cryptographic verifications [gitops-1.17])
- GITOPS-8868 (CVE-2025-13465 openshift-gitops-1/console-plugin-rhel8: prototype pollution in _.unset and _.omit functions [gitops-1.17])
- GITOPS-8979 (CVE-2025-61726 openshift-gitops-1/argo-rollouts-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.17])
- GITOPS-8980 (CVE-2025-61726 openshift-gitops-1/argocd-agent-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.17])
- GITOPS-8981 (CVE-2025-61726 openshift-gitops-1/argocd-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.17])
- GITOPS-8982 (CVE-2025-61726 openshift-gitops-1/argocd-rhel9: Memory exhaustion in query parameter parsing in net/url [gitops-1.17])
- GITOPS-8983 (CVE-2025-61726 openshift-gitops-1/dex-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.17])
- GITOPS-8984 (CVE-2025-61726 openshift-gitops-1/gitops-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.17])
- GITOPS-8985 (CVE-2025-61726 openshift-gitops-1/gitops-rhel8-operator: Memory exhaustion in query parameter parsing in net/url [gitops-1.17])
- GITOPS-8486 (CVE-2025-66418 openshift-gitops-1/console-plugin-rhel8: urllib3: Unbounded decompression chain leads to resource exhaustion [gitops-1.17])
- GITOPS-8487 (CVE-2025-66418 openshift-gitops-1/must-gather-rhel8: urllib3: Unbounded decompression chain leads to resource exhaustion [gitops-1.17])
- GITOPS-8641 (CVE-2025-66471 openshift-gitops-1/console-plugin-rhel8: urllib3 Streaming API improperly handles highly compressed data [gitops-1.17])
- GITOPS-8683 (CVE-2026-21441 openshift-gitops-1/console-plugin-rhel8: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API) [gitops-1.17])
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
Fixes
(none)amd64
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:227a8e4f996b077ad1a284c5e14855e37423e99c62175f6862d13e8201c588e5 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:9a17ad8e4efa4ce78562d503bc360f7b661f0d75dd8e0fd454909f49f099fa58 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:857f0a30e261a68dd35a92a661259f7a1bbbf0d806b3fd294bb4bdbaed34a2a2 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:88f63890290927cca47e1e1aaee21a95a5f462af46ab4400a0f6e430e1f5623b |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:8fa4b854c88f6d1ebabccbb847dd11d9bee66275b5091f6bcd9b0eb860e52444 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:51878bf4ea05a68c73ebd99664ef4b3c718fc8ec53cf98bcac589b4267af7764 |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:162f9d7ff3c4e5e06e73a6c8cd24dbd9afaacacbf6d57d83988a4e27754f0754 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:bb77af2ec9c342d965013140e1a1a07a3c9e587a171f532017240e2d7d49fb81 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:a471627df8d44e2b36c5c96907f59919205dd3865337eada062b2cc9016acf0b |
| registry.redhat.io/openshift-gitops-1/gitops-operator-bundle@sha256:28f4abb103e42261349702992b66571b260509fd25546bfe6e0a2dc6b916822f |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:cb155e6a4614ad0f18ac8cef9a1d0baeff6046759f5c299aceff528c780b1aae |
arm64
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:a8a6e1c81223128f24b66619cf373666957067605f3df9d85ecf3319da7e68ae |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:d73dc505b53a564bb1f4c6f3bbd8ae645ea3184aa10d9193594de5c77f985c74 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:321c3940495fdca2243f65ba5e197c1a6d91c3d615e3fedbe7227d14664b5398 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:ae59e94554327b660b9d7ae36c21dae91d53e1511c042f64aaa79bd92cc4db4b |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:52a017f6e2408179a323dc5e6ff043861d49c757be5a0d0dd7af4d6941629508 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:da70d77c71e755144cc5ed0224b78c78b4a6676db998040bce16becfd731a11a |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:d4738ad5467d0bf0e851d239ed97c81fe23929b2f6c24f9dac5af6231b16d4f1 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:f273f0d3cc853299d3ce00ca2a4c7da47904ed85b3af45892d6166e944e9b1a8 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:598b09264240b26fae498f509e20b7558ff863f51a7767175b2bdf56b4f5c601 |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:cfba16df56118b9b5dd29cedc795dcdb28d3afce227e72d2cdb8459fe0d6b712 |
ppc64le
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:dd441993e9b173999be85c6f69718e3f7b433caad5e6c65c0d359fd259c91b77 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:5654b69c24a1bb03e5fd6a60635c18d8def47a259169ad5680d125b429e41678 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:6ecd87f063a5ec9cf3281f008fcb80d12d77e291459440464a35ed10d12a3bdc |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:674ff46ec584be22c7388fc25a7534dbb9aa3c8b14b5401bd76fab8480ebd609 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:c8bb51aadf678fdb8ff83135be94b84df53d4551915ba7af44fb3ed5cfe4a075 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:382872d09838547bd7b9416f5c800afb28c290e3a14109285da3ca2ff94a22af |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:76134796ff5c05eb6fdd9e6520b4d32ae054822a9fc94584f48ce87c2e3ec6c3 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:ee1b4b94bdd5edf6fb3011e857b0976a6e2fd1bbb05abd645eaa8b87d56e7fc9 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:f61631f167ea0d49d3d3a4658b61fd31e38cf355bec3ba8d029f8d15f94e9bde |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:324f9c28aa6b65266601792f16503ff8ea1bff275b989900d4d589667864dcbd |
s390x
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:0a66843c2b966114a3438d4f11d2bc6cafe46ae4e3e941baf01bc0301aff7fd7 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:0d754ffcfee2da93c085f92a973adb47e2cc65f44be8a1b162983a52a213fb13 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:75ae465e708b6cdc35ead810e63e06e31748f0c2ed5bf594354923ddd0917c2f |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:01d3bc986dfab006ffae245d3afc81215d7f1ffe314625f3f7ec1334e4336a2e |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:d0c3317fb4530c48734a993ea4cf4ad958de50e2e9bdc1cbfec84abe2e143fb7 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:7a587b41a50879e4ac1b7ce35efaa2e6b05227a08da041ea0b21b889c07d8b6a |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:dc8b2b43eb5f9c10be39bfc326068bc5680844bdcc9970c6cebfe952f3f42e58 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:6858c39ea40232e9a4c240acdf0fd81c5621383d8d8b0c54ccbcce4918f67a69 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:f5e35c07cddd43dfc71820d47579243e5f423e8672104570c5953eacf4f0b62c |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:d91a34db2326485562ef994f117bcf7d0d5ecf3804dc3724fc5528552fe6c6bf |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
