Skip to main content

Argo CD CVE-2026-43824

| EUVDEUVD-2026-26726 HIGH
Improper Removal of Sensitive Information Before Storage or Transfer (CWE-212)
2026-05-02 mitre
7.7
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Red Hat
9.6 HIGH
qualitative

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
May 04, 2026 - 14:16 nvd
Patch available
Patch available
May 02, 2026 - 03:01 EUVD
Analysis Generated
May 02, 2026 - 02:30 vuln.today
EUVD ID Assigned
May 02, 2026 - 02:00 euvd
EUVD-2026-26726
Analysis Generated
May 02, 2026 - 02:00 vuln.today
CVE Published
May 02, 2026 - 01:20 nvd
HIGH 7.7

DescriptionCVE.org

In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data.

AnalysisAI

Authenticated users with low privileges can read cleartext Kubernetes Secret data through Argo CD's ServerSideDiff feature in versions 3.2.0-3.2.10 and 3.3.0-3.3.8. This scope-changing vulnerability (CVSS:3.1 S:C) allows attackers to access sensitive credential data managed by Kubernetes, including database passwords, API tokens, and certificates, by exploiting the server-side diff functionality. With a 7.7 CVSS score and low attack complexity (AC:L), this represents a significant confidentiality breach requiring only network access and basic authentication-no public exploit identified at time of analysis, but the technical barrier to exploitation is minimal.

Technical ContextAI

Argo CD is a declarative GitOps continuous delivery tool for Kubernetes. The ServerSideDiff feature compares desired application state with live cluster state to detect configuration drift. The vulnerability (CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer) occurs when this diff operation exposes cleartext Kubernetes Secret resources instead of properly redacting or masking sensitive data fields. Kubernetes Secrets are intended to store sensitive information like passwords, OAuth tokens, and SSH keys in base64-encoded (not encrypted) form. Argo CD's diff functionality should sanitize these values before returning comparison results to users, but affected versions fail to do so. The Changed Scope (S:C) in the CVSS vector indicates the vulnerability impacts resources beyond Argo CD's own security boundary-specifically, it breaches the confidentiality of Kubernetes cluster secrets that should be protected by separate RBAC policies.

RemediationAI

Upgrade immediately to Argo CD version 3.2.11 or later for the 3.2.x branch, or version 3.3.9 or later for the 3.3.x branch, as indicated by the CVE description's 'before' version ranges. Consult the official GitHub Security Advisory at https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3 for complete remediation guidance and release notes. If immediate patching is not feasible, implement compensating controls: restrict Argo CD user permissions using RBAC to limit which applications users can view or diff (trade-off: reduces operational flexibility and may require creating additional service accounts for legitimate diff operations); disable ServerSideDiff functionality entirely if your deployment workflow doesn't require live cluster comparisons (trade-off: loses drift detection capability, requiring manual inspection); audit existing Argo CD access logs for suspicious diff operations against applications containing Secrets to identify potential prior exploitation; rotate any Kubernetes secrets that may have been exposed to unauthorized users. Note that access restriction mitigations only reduce attack surface-they do not fix the underlying information disclosure flaw, so upgrading remains the definitive solution.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Vendor StatusVendor

Share

CVE-2026-43824 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy