CVE-2026-42880
ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction
CVSS Score
9.6
EPSS Score
0.0%
EPSS Percentile
0th
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.
| CWE | CWE-200 CWE-212 |
| Vendor | argoproj |
| Product | argo-cd |
| Published | May 7, 2026 |
| Last Updated | May 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for argoproj argo-cd
Be the first to know when new critical vulnerabilities affecting argoproj argo-cd are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
argoproj / argo-cd
>= 3.2.0, < 3.2.11 >= 3.3.0, < 3.3.9