CVE-2026-42880

EUVD-2026-28469

07.05.2026, 23:16

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.6 CRITICAL	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Vulnerability Media Exposure

[GERMAN] Argo CD: Schwachstelle ermöglicht Offenlegung von Informationen
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Argo CD ausnutzen, um Informationen offenzulegen.
Published: 2026-05-05T22:00:00+00:00

References

https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3