Argo CD CVE-2026-62185
HIGHSeverity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attacker needs an in-cluster pod foothold (AV:A, PR:L) but no user interaction; exposed repo-server yields high confidentiality/integrity and limited availability impact, scope unchanged.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Argo CD Helm Chart before 10.0.0 fails to install network policies by default, allowing any pod on a cluster to access repo-server and other Argo APIs. Attackers can exploit this unrestricted network access through combined attacks to achieve cluster compromise and remote code execution.
AnalysisAI
Insecure-default configuration in the Argo CD (argoproj/argo-helm) Helm chart before 10.0.0 ships without any Kubernetes NetworkPolicy, so every pod sharing the cluster can reach the repo-server and other internal Argo CD APIs that are normally meant to be isolated. A low-privileged workload that an attacker already controls can chain this unrestricted intra-cluster access into full cluster compromise and remote code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that Argo CD was deployed with the argo-helm chart before version 10.0.0 AND that the cluster has no independent network segmentation (a CNI-enforced NetworkPolicy or service mesh) compensating for the chart's missing default policy. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L, base 8.6) frames this as an adjacent-network, low-complexity, low-privilege issue with high confidentiality and integrity impact - consistent with an attacker who already has a foothold as some pod on the cluster (PR:L) rather than a fully unauthenticated internet-facing flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has compromised or deployed any low-privileged pod on a shared Kubernetes cluster (for example via a vulnerable application workload) discovers that Argo CD's repo-server and internal APIs are reachable because no NetworkPolicy blocks pod-to-pod traffic. From that pod they connect directly to repo-server and the Argo APIs, abuse the exposed functionality to extract repository credentials or manipulate application manifests, and pivot toward broader cluster compromise and remote code execution. … |
| Remediation | Vendor-released patch: upgrade the argo-helm Argo CD chart to version 10.0.0 or later, which installs the network policies by default, and confirm the NetworkPolicy resources are actually created in the Argo CD namespace after deployment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Argo CD deployments to identify instances running versions before 10.0.0 and assess co-location with third-party or untrusted workloads. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today