Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.
Published: 2026-05-07
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Argo CD v3.2 and v3.3 prior to 3.2.11 and 3.3.9 contain a missing authorization and data‑masking bug in the ServerSideDiff endpoint; the flaw allows any user with only read‑only access in Argo CD to trigger the Kubernetes API server’s Server‑Side Apply dry‑run feature and obtain plaintext secret values stored in etcd, thereby leaking sensitive passwords, tokens, or keys that could be used for further cluster compromise.

Affected Systems

The affected product is Argo CD from argoproj, with vulnerable releases 3.2.0 through 3.2.10 and 3.3.0 through 3.3.8; the issue is fixed in version 3.2.11 and 3.3.9 and later releases.

Risk and Exploitability

With a CVSS score of 9.6 this vulnerability is critical in terms of confidentiality impact; the EPSS score is not available, but the lack of proper authorization controls for the endpoint suggests a high probability of exploitation in environments that grant wide read‑only access; the vulnerability is not listed in CISA KEV, indicating no known public exploit yet, yet the potential to exfiltrate sensitive cluster data makes it a high‑risk issue for organizations running the affected releases.

Generated by OpenCVE AI on May 7, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Argo CD to v3.2.11 or v3.3.9 or later.
  • If an upgrade is not immediately possible, restrict read‑only users so they cannot call the ServerSideDiff endpoint, or disable the endpoint through Argo CD configuration.
  • Audit and tighten Kubernetes Role‑Based Access Control to ensure that Server‑Side Apply dry‑run is not invoked with elevated permissions by unauthorized users.

Generated by OpenCVE AI on May 7, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3v3m-wc6v-x4x3 ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction
History

Thu, 07 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Argoproj
Argoproj argo-cd
Vendors & Products Argoproj
Argoproj argo-cd

Thu, 07 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.
Title ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction
Weaknesses CWE-200
CWE-212
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Argoproj Argo-cd
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T22:20:39.506Z

Reserved: 2026-04-30T18:49:06.711Z

Link: CVE-2026-42880

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-07T23:16:32.450

Modified: 2026-05-07T23:16:32.450

Link: CVE-2026-42880

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T23:30:40Z

Weaknesses