CVE-2026-42880
Argo CD ServerSideDiff Missing Authorization Exposes Secrets
Publication date: 2026-05-07
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| argoproj | argo_cd | From 3.2.0 (inc) to 3.2.11 (exc) |
| argoproj | argo_cd | From 3.3.0 (inc) to 3.3.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-212 | The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Argo CD, a GitOps continuous delivery tool for Kubernetes. Specifically, in versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in the ServerSideDiff endpoint. This flaw allows an attacker who has read-only access to extract plaintext Kubernetes Secret data from etcd by exploiting the Kubernetes API server's Server-Side Apply dry-run mechanism.
The issue has been fixed in versions 3.2.11 and 3.3.9.
How can this vulnerability impact me? :
An attacker with read-only access can exploit this vulnerability to obtain sensitive Kubernetes Secret data in plaintext. This can lead to unauthorized disclosure of confidential information such as credentials, tokens, or keys stored in Kubernetes Secrets, potentially compromising the security of your Kubernetes environment.
The vulnerability has a high severity score (CVSS 9.6) indicating it can have a significant impact on confidentiality and integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Argo CD to a patched version. The issue is fixed in versions 3.2.11 and 3.3.9, so updating to at least one of these versions will address the missing authorization and data-masking gap.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism due to a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint.
Exposure of sensitive secret data in plaintext could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to sensitive information and mandate protection of personal and health-related data.
Therefore, organizations using affected versions of Argo CD may face compliance risks if this vulnerability is exploited, as it compromises confidentiality and could lead to unauthorized disclosure of sensitive data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying the version of Argo CD running in your environment to see if it falls within the affected versions (3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9). Additionally, you can check if the ServerSideDiff endpoint is accessible and if it returns unmasked Secret data when queried by a user with read-only access.
To detect the vulnerability, you can run commands to check the Argo CD version and test the ServerSideDiff endpoint for exposure of Secret data.
- Check Argo CD version: kubectl -n argocd get deployment argocd-server -o jsonpath='{.spec.template.spec.containers[0].image}'
- Attempt to call the ServerSideDiff endpoint using an authenticated user with read-only permissions and inspect the response for unmasked Secret data. This typically requires using Argo CD CLI or API calls with appropriate authentication.
- Look for the presence of the annotation 'argocd.argoproj.io/compare-options: IncludeMutationWebhook=true' on applications, as this disables a defense layer and increases exposure risk.