CVE-2026-42880

Summary

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.

Affected Software

VendorProductVersion RangeStatus
argoprojargo-cd>= 3.2.0, < 3.2.11affected
argoprojargo-cd>= 3.3.0, < 3.3.9affected

Weaknesses

  • CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-212: CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

argoproj/argo-cd: Argo CD: Information disclosure of Kubernetes Secret data via Server-Side Apply dry-run mechanism

Additional References

References