CVE-2026-42880

EUVD-2026-28469

07.05.2026, 23:16

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.6 CRITICAL	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 29%

Affected Products (NVD)

Vendor	Product	Version
argoproj	argo_cd	3.2.0 ≤ 𝑥 < 3.2.11
argoproj	argo_cd	3.3.0 ≤ 𝑥 < 3.3.9

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3