- Issued:
- 2026-03-05
- Updated:
- 2026-03-05
RHSA-2026:3874 - Security Advisory
Synopsis
Important: Red Hat OpenShift GitOps v1.18.4 security update
Type/Severity
Security Advisory: Important
Topic
Important: Red Hat OpenShift GitOps v1.18.4 security update
Description
An update is now available for Red Hat OpenShift GitOps.
Bug Fix(es) and Enhancement(s):
- GITOPS-8439 (CVE-2025-12816 openshift-gitops-1/console-plugin-rhel8: node-forge: Interpretation conflict vulnerability allows bypassing cryptographic verifications [gitops-1.18])
- GITOPS-8870 (CVE-2025-13465 openshift-gitops-1/argocd-rhel9: prototype pollution in _.unset and _.omit functions [gitops-1.18])
- GITOPS-8871 (CVE-2025-13465 openshift-gitops-1/console-plugin-rhel8: prototype pollution in _.unset and _.omit functions [gitops-1.18])
- GITOPS-8986 (CVE-2025-61726 openshift-gitops-1/argo-rollouts-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.18])
- GITOPS-8987 (CVE-2025-61726 openshift-gitops-1/argocd-agent-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.18])
- GITOPS-8988 (CVE-2025-61726 openshift-gitops-1/argocd-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.18])
- GITOPS-8989 (CVE-2025-61726 openshift-gitops-1/argocd-rhel9: Memory exhaustion in query parameter parsing in net/url [gitops-1.18])
- GITOPS-8990 (CVE-2025-61726 openshift-gitops-1/dex-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.18])
- GITOPS-8991 (CVE-2025-61726 openshift-gitops-1/gitops-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.18])
- GITOPS-8992 (CVE-2025-61726 openshift-gitops-1/gitops-rhel8-operator: Memory exhaustion in query parameter parsing in net/url [gitops-1.18])
- GITOPS-8324 (CVE-2025-66031 openshift-gitops-1/console-plugin-rhel8: node-forge ASN.1 Unbounded Recursion [gitops-1.17])
- GITOPS-8488 (CVE-2025-66418 openshift-gitops-1/console-plugin-rhel8: urllib3: Unbounded decompression chain leads to resource exhaustion [gitops-1.18])
- GITOPS-8489 (CVE-2025-66418 openshift-gitops-1/must-gather-rhel8: urllib3: Unbounded decompression chain leads to resource exhaustion [gitops-1.18])
- GITOPS-8643 (CVE-2025-66471 openshift-gitops-1/console-plugin-rhel8: urllib3 Streaming API improperly handles highly compressed data [gitops-1.18])
- GITOPS-9063 (CVE-2025-68121 openshift-gitops-1/dex-rhel8: Unexpected session resumption in crypto/tls [gitops-1.18])
- GITOPS-8684 (CVE-2026-21441 openshift-gitops-1/console-plugin-rhel8: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API) [gitops-1.18])
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
Fixes
(none)CVEs
amd64
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:abe87d778ec9473a971ad712dc464d349489cd94563c899bb24697204c506f6e |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:73c3db4c9fce967ac0a2004b74e4734068117a8dd597383b6def6f04c29a94d2 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:e2f02e7115c916450ea8b906da6b575e75de8072ea032f02c05b685585aaf399 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:80a5160b09aa9c8a3cc10f68ed4a97f55ba3836c9c221a95ccf437a938afe8c0 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:7167dca18a526637f60ebfd5901245bcc298646e41dce407bad58bceef700eb6 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:e82fdd38c9dbcb0c27245cd903e40622f0b3fd617c6e94959da16638d0e6c4aa |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:c3482bc8d470b0a50e4fa5c50654516087044843c419b547a3101c45c12809c6 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:d0759f38837525062439c554da3a6219324a7fa2bf6d1458e66254a60ec883c7 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:d2bed1997fea827ae5237d2306da7bb31a5872b132a37100c9798dbeaf3ab260 |
| registry.redhat.io/openshift-gitops-1/gitops-operator-bundle@sha256:6fc4720fce99dc2d20d5d30e153c01754937dd7aca0a6697e0ecb16c16cab2ac |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:d79a8ce0b3cfc7955a7163ec2f6ab5d6b2587225f91132ab7926d261a31a61e1 |
arm64
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:b8912d1100c5a5e1ca872156bc521e0aad5db03df936a1f4aa8bc7b9a7762027 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:2f64e4d6f4ee6184d5288c0c9d4ab781c2c0c185a92bacc7ffbe24e26308d226 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:88aae2bc6fc9ed73e505b2bae797be5cf8b5792abf426ce08167c6792843c9b8 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:3d23d71c607b1243a62fb8ac2444b392e52ede2886bb1e990e48ef62bcacd5f5 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:9036c60a2f2f8d24a9ffe7ded0686b9c35ee1315821616c99c588a1dfb31ebef |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:9da34d6dbf86101b9938e16b29d194b3757969a47465a094762f9e6c50b9e732 |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:2fbf107528457256fd962e601c848da512e2fd5421db3b1ec477238d75c7bb43 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:5667832a2cd8acb5f9df8b9b8b2595eb67bd8f82b67a2975ff0e2a1be5ebf782 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:e3a2a4ad4d9b619c7f9f020270b60f9b8538bd1ab55fff996f41d243317c8b62 |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:47579ea18cc80716ca1c10c4774ce2ab70c062657faa7e24a246ed3462c8f9ab |
ppc64le
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:95fbb3c2082487b2a40bd0e9992761845cca988c262b03180bfdddeab31de919 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:7151311f01cc0d1270b59853fe69802bede2ad2c3ff0134bd92ba7fb194eabde |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:88d93d43277ea7c1b2e1b4d8d900acb74bf40c3817ba199efa37606ed724031f |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:fd5e9bdef07d72529f93405ba19bc9bfc3b9fd5d53cdea0a7967b2c7fde3c347 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:2d36a79c3dc4ad8ae93f6c98463e7e044b24e4bd273c06f38bd026bd76abe9b5 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:67049777e7c82a5e07124c2b00508a2d343146db3126ee013faa9fbc7ea47458 |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:243a6b615a77bad0f3d3b79aa3aad5a8fca9bb464597f4931dd8bfa325dbc770 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:0ddcb69778af5bcf176efad92ce7eac6ec89e26662b349101971353bb94f8935 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:45d1247becc4902334f7a78fc532495c68e42cc6dacd94062c31187df4aa5848 |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:7658fa7d7ffde42075b55e0373f92515a144aa328c85a4e1fd8f13de69d34f0d |
s390x
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:2353be1ea01a24c35fd63d6f033046680a815e4a1100360782b71149e48d93af |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:9100f8cbe10726ca76b8c624569b48c0175b882cb31e647ccd0bf5a52d57db50 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:7ea7d9fc96b14f18a1fc8c79f691a43e801c55973cec92aa08c0473ac291a957 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:686bdf2af69f6942481b06fc1d4deb1c839252ea3f3fdf6c4308999b5ebbf9b0 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:52b46a27b25468652f2767a3f4fb6d84afb3023a771ed01ab7f168a576c5fe89 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:82977f08615644a6c6ee758f2ed8a25cc7e567f2786bedb2398d48e66104ad19 |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:ebd8e40ab8fb89f9ab4410f1c6bedfb836c576d386e549ba4c58829b9d23d89e |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:ed10c23b55ca3ad681b49159da9dcd502e2b2c989342184e4e94e0acde57cec4 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:65079b99ee9d134239a0ee944a754daf23b9516a6a1d4cd7808d4bc817b1eac6 |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:01d3ffb9a0e4a416d4fdacb41346795064f8633625ce218765d02d432d91d969 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
