- Issued:
- 2026-03-05
- Updated:
- 2026-03-05
RHSA-2026:3884 - Security Advisory
Synopsis
Important: Red Hat OpenShift GitOps v1.19.2 security update
Type/Severity
Security Advisory: Important
Topic
Important: Red Hat OpenShift GitOps v1.19.2 security update
Description
An update is now available for Red Hat OpenShift GitOps.
Bug Fix(es) and Enhancement(s):
- GITOPS-8874 (CVE-2025-13465 openshift-gitops-1/console-plugin-rhel8: prototype pollution in _.unset and _.omit functions [gitops-1.19])
- GITOPS-8993 (CVE-2025-61726 openshift-gitops-1/argo-rollouts-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.19])
- GITOPS-8994 (CVE-2025-61726 openshift-gitops-1/argocd-agent-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.19])
- GITOPS-8995 (CVE-2025-61726 openshift-gitops-1/argocd-image-updater-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.19])
- GITOPS-8996 (CVE-2025-61726 openshift-gitops-1/argocd-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.19])
- GITOPS-8997 (CVE-2025-61726 openshift-gitops-1/argocd-rhel9: Memory exhaustion in query parameter parsing in net/url [gitops-1.19])
- GITOPS-8998 (CVE-2025-61726 openshift-gitops-1/dex-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.19])
- GITOPS-8999 (CVE-2025-61726 openshift-gitops-1/gitops-rhel8: Memory exhaustion in query parameter parsing in net/url [gitops-1.19])
- GITOPS-8949 (CVE-2025-61728 openshift-gitops-1/argocd-image-updater-rhel8: Excessive CPU consumption when building archive index in archive/zip [gitops-1.19])
- GITOPS-9017 (CVE-2025-61729 openshift-gitops-1/dex-rhel8: golang: Denial of Service due to excessive resource consumption via crafted certificate [gitops-1.19])
- GITOPS-9064 (CVE-2025-68121 openshift-gitops-1/dex-rhel8: Unexpected session resumption in crypto/tls [gitops-1.19])
- GITOPS-8685 (CVE-2026-21441 openshift-gitops-1/console-plugin-rhel8: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API) [gitops-1.19])
- GITOPS-8773 (Console plugin Applications page is broken with cannot read properties of undefined JS error)
- GITOPS-8922 (ApplicationSet cluster scoped roles missing permissions)
- GITOPS-9060 (Restrict ImageUpdater Scope to Local Namespace - z-stream)
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
Fixes
- GITOPS-8773 - Console plugin Applications page is broken with cannot read properties of undefined JS error
- GITOPS-8922 - ApplicationSet cluster scoped roles missing permissions
amd64
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:2e1362c72a0d6887a940a0bdf26b6bce9eb510064700e9f095c408abbd49c9bf |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:e47bf6b1a868b557ae88ff0a284711ea5c9379bcc2bbefdcbd3ab501b4c3232d |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:cac9de88e325bdcd774e47416349cd04d9485140ba2757789af7ece0bfdc5f10 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:92123645a6195209ae1159cc3366f7d937773aa47ce4b2d95e071994e7ad5326 |
| registry.redhat.io/openshift-gitops-1/argocd-image-updater-rhel8@sha256:2c9c09665cdfe0d15496232eecb98d8a8a0ec415e31162113e022de9729653ab |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:ea4f3f8e721945a2ca03156e50b1b76aabf2ebef72fb9db57eebf526b730f5a4 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:f92a748e4817a870c7569e23e5b932bac130e1d0d73a6a4de77f4f29e5e496cb |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:4c572caa0d2e8a75b3649efb4bc1d0dd00ce0d07272904de2db102713a44d8c0 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:205ce0b74260a20a4d354ca3389ebf1b652d783b3d2207e5fdf207c559277923 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:5cd649d78637066890ba3af1963dbfb3be9b51f7f43e7a501a38e1fc1355f77b |
| registry.redhat.io/openshift-gitops-1/gitops-operator-bundle@sha256:00e866aafc577f084f3bc233becd9dac15404831189a122c362112791411a796 |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:6657305ece826ffc36b4f6ed48fd438a72bc4366c4b88d7d4d724a495496b201 |
arm64
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:138be82b54de000e765bee3b77ecedb271228e720d8195f4dd6adcf5ec4c50bc |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:78d1ebdf50b49e4acce49cf9de00e2a0f38efa00df5e44d359eaf7fedb13cab9 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:62df2a36dcf0e875d62882fd22ac10df0577e6edf1593c5a2cb425287ea747d1 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:86daebba4143bbc47fbe21fd201fd4724dd58a235e6880b872eabdc62d74323d |
| registry.redhat.io/openshift-gitops-1/argocd-image-updater-rhel8@sha256:d1e3f3cc9aae3466975e4d6e7699a5f098538df9f831492a9b49be2fec49b7a8 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:aeccbbcdb0f4311c3c2f1408f6e72fbfb73273138f3fddd7f3b678e71ee7f3e7 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:4e2e35b6afc23e853e907050b82f405c6d207891728ff93b466066f99f970c64 |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:0cae9c459339fc3c6a81664cb29927be1948ac162ed2c7d03189d12fbf66b89a |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:ed23c99b468e0ca372ce60af126c454e744df44d1a6251640244d7c207843dce |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:994a659056aaed2c2e07b703afbc340deeda017369b476f64a24fa4098bb40ea |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:69a1224c7a74cf4ba40b074b3eca5aecde4d91cf11c17f87b1cb796ebfb488d0 |
ppc64le
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:a4b401970e2f2392983adf4e4fdc02b5219cd007f6fab853a5e77e65b504ff14 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:d79ab12f0505b689e03a04952ddb4b8cb096a544742195443e17f040edc64778 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:826d6f6528ded7c7d06bda756db80b65a85dccc845da6e9549f292e15bbe1e62 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:ead132dfd8d85e9b2abfa332c6da9c7354b09eebcb2e3aa13f0376c6ac32562d |
| registry.redhat.io/openshift-gitops-1/argocd-image-updater-rhel8@sha256:4c7f4f07f63ec65cea08d79a3216d1281ab4e30116e9eba68f6196680e90ff7b |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:c4efd2edea9a977c138a7af1fb2aa0363b9a880091332b6a0797028dd3afc3a8 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:9c6a85524d75533871329af0b6dfa089f443286399c375501d595b3f8a4a56e1 |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:ae393beb1e5b23747e3ace0d4bbd508a527ae03d6110dc66bd63b3a5ad30d949 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:9e0fb76618eb0da7b081c1b4d9e80e945b6f2d586dc2e010355454425d6f0904 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:36bd74ee180fa7d46ac0724f6f1d6c248f017bc69d80750665b820f6c6684a13 |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:1670185c7ff51b07280157424fefb192554dac53c9065f309d4b9decb2423bb1 |
s390x
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:5ffdb073886df729a401b3b11c192f6fa1cf300dc72735f59a7b087dbfbe64d1 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:7d86d3ca3e7973f9d03d938977fb5486c009a7a2f6a342ef806078ed04eb9946 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:f992bca52fbfa76a67b07d3cf5a7921234dbf4765d77acddc3b53c7cd6c6af4e |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:d193023a0943e711f3a4ac3fa541d2996c0e49f4fc3df380e0c3d203d9447d9c |
| registry.redhat.io/openshift-gitops-1/argocd-image-updater-rhel8@sha256:733cd034e950192fc651610d5d8f0e3eb0d0e8cbb6d27efbec297446854b36c1 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:3fa5c0abd247240801d6b92d01579587472a219465c229f9d73c8a2245610a70 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:90a212ffbf689c1c9d0f8afaef542cf4cd9feb8da72391effef4f108b91f859c |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:1c28dbd5f4f8ae64c154701712918c70a52f3bbf778134bcac730ac8eb13927a |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:7850be031957aa5cae31c89d3e460081eeca1af89ee2c5991908e90261e1804e |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:55528ebf8f834c4c75412edc02e843bb6cbfdfacfa0592f8207792e8550d4bff |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:65d6682940dac0f4f0f8153c26e9497f4e1bb3c9b57528ca2901d73df9499120 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
