What is the CVSS score of CVE-2026-43824?

CVE-2026-43824 has a CVSS 3.1 base score of 7.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Argo CD are affected by CVE-2026-43824?

Argo CD versions 3.2.0-3.2.10 and 3.3.0-3.3.8 contain an authenticated privilege escalation vulnerability that exposes cleartext Kubernetes Secrets (database passwords, API tokens, certificates) to…. A patch is available.

How to fix or mitigate CVE-2026-43824?

Within 24 hours: Identify all Argo CD instances and document current versions using `argocd version`. Restrict network access to Argo CD APIs and UI to administrative personnel only. Within 7 days: Audit Kubernetes Secret access logs for unauthorized read attempts. Review all low-privileged user accounts and disable unnecessary ones. Within 30 days: Upgrade Argo CD to version 3.2.11+ or 3.3.9+ as vendor releases patches; if upgrades are blocked, implement Pod Security Policies to deny Secret enumeration and rotate all exposed credentials (database passwords, API tokens, certificates) stored in Kubernetes Secrets.

Argo CD CVE-2026-43824

EUVD-2026-26726 HIGH

Improper Removal of Sensitive Information Before Storage or Transfer (CWE-212)

2026-05-02 mitre

Information Disclosure Kubernetes Red Hat

7.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch released

May 04, 2026 - 14:16 nvd

Patch available

May 02, 2026 - 03:01 EUVD

Analysis Generated

May 02, 2026 - 02:30 vuln.today

EUVD ID Assigned

May 02, 2026 - 02:00 euvd

EUVD-2026-26726

Analysis Generated

May 02, 2026 - 02:00 vuln.today

CVE Published

May 02, 2026 - 01:20 nvd

HIGH 7.7

DescriptionNVD

In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data.

AnalysisAI

Authenticated users with low privileges can read cleartext Kubernetes Secret data through Argo CD's ServerSideDiff feature in versions 3.2.0-3.2.10 and 3.3.0-3.3.8. This scope-changing vulnerability (CVSS:3.1 S:C) allows attackers to access sensitive credential data managed by Kubernetes, including database passwords, API tokens, and certificates, by exploiting the server-side diff functionality. …

RemediationAI

Within 24 hours: Identify all Argo CD instances and document current versions using argocd version. Restrict network access to Argo CD APIs and UI to administrative personnel only. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory