Skip to main content

Argo CD CVE-2026-15416

| EUVDEUVD-2026-43648 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-07-14 redhat
8.9
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.9 HIGH
AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
vuln.today AI
9.6 CRITICAL

CWE-306 and the 'unauthenticated' description drive PR:N (vs vendor PR:L); repo-server is an internal service so AV:A, and RCE plus cross-cluster resource deployment give S:C with C/I/A:H.

3.1 AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

4
Patch available
Jul 14, 2026 - 11:17 EUVD
Source Code Evidence Fetched
Jul 14, 2026 - 09:32 vuln.today
Analysis Generated
Jul 14, 2026 - 09:32 vuln.today
CVE Published
Jul 14, 2026 - 08:56 nvd
HIGH 8.9

DescriptionCVE.org

A flaw was identified in Argo CD, the GitOps engine used by Red Hat OpenShift GitOps, that could allow an unauthenticated attacker with network access to the Argo CD repo-server to achieve remote code execution. Under certain conditions, the attacker may then manipulate cached data to deploy malicious Kubernetes resources to managed clusters, potentially resulting in complete cluster compromise.

AnalysisAI

Remote code execution in the Argo CD repo-server component (as shipped in Red Hat OpenShift GitOps and the argoproj argo-helm chart) allows an unauthenticated attacker with network access to the repo-server to run arbitrary code and, under certain conditions, poison cached manifests to push malicious Kubernetes resources into managed clusters, enabling full cluster takeover. The root cause is missing authentication (CWE-306) on a critical internal service that the default Helm chart left network-exposed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain foothold on cluster network
Delivery
Reach unauthenticated repo-server service
Exploit
Trigger remote code execution in repo-server
Execution
Manipulate cached rendered manifests
Persist
Deploy malicious Kubernetes resources to managed clusters
Impact
Achieve full cluster compromise

Vulnerability AssessmentAI

Exploitation The attacker must have network reachability to the Argo CD repo-server service, which by design requires no authentication (CWE-306); this is the core enabling condition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are strong but partially conflicting and must be reconciled. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has landed a low-privilege pod or otherwise gained access to the Kubernetes cluster network reaches the unauthenticated Argo CD repo-server and sends crafted input that triggers code execution within that component. Using that foothold they tamper with cached rendered manifests so that the application controller subsequently deploys attacker-chosen Kubernetes resources (e.g., privileged workloads) across managed clusters, escalating to full cluster compromise. …
Remediation The primary hardening shipped is argo-helm chart 10.0.0 (commit 0f245ab), which flips global.networkPolicy.create from false to true so NetworkPolicy objects are created for all components by default, restricting who can reach the repo-server; upgrade the chart to 10.0.0 or, if you cannot upgrade, immediately set global.networkPolicy.create=true in your values.yaml (or author equivalent NetworkPolicies) to allow ingress to the repo-server only from the Argo CD application-controller and server pods. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct inventory of all Argo CD deployments using vulnerable distributions (Red Hat OpenShift GitOps, argoproj argo-helm chart) and verify which instances are network-accessible; implement immediate network segmentation to restrict access to the repo-server component to trusted sources only, and enable detailed logging of all repo-server API calls. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-15416 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy