Skip to main content

Argo Helm

2 CVEs product

Monthly

CVE-2026-15416 HIGH PATCH This Week

Remote code execution in the Argo CD repo-server component (as shipped in Red Hat OpenShift GitOps and the argoproj argo-helm chart) allows an unauthenticated attacker with network access to the repo-server to run arbitrary code and, under certain conditions, poison cached manifests to push malicious Kubernetes resources into managed clusters, enabling full cluster takeover. The root cause is missing authentication (CWE-306) on a critical internal service that the default Helm chart left network-exposed. There is no public exploit identified at time of analysis, but detailed third-party technical research (Synacktiv) and press coverage exist, and the flaw was reported unpatched at disclosure.

Authentication Bypass Red Hat RCE Kubernetes Argo Helm +3
NVD GitHub VulDB
CVSS 3.1
8.9
EPSS
0.3%
CVE-2026-62185 HIGH This Week

Insecure-default configuration in the Argo CD (argoproj/argo-helm) Helm chart before 10.0.0 ships without any Kubernetes NetworkPolicy, so every pod sharing the cluster can reach the repo-server and other internal Argo CD APIs that are normally meant to be isolated. A low-privileged workload that an attacker already controls can chain this unrestricted intra-cluster access into full cluster compromise and remote code execution. Reported by VulnCheck; no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor rates real-world impact high (CVSS 4.0 base 8.6).

RCE Argo Helm
NVD GitHub
CVSS 4.0
8.6
EPSS
0.3%
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Remote code execution in the Argo CD repo-server component (as shipped in Red Hat OpenShift GitOps and the argoproj argo-helm chart) allows an unauthenticated attacker with network access to the repo-server to run arbitrary code and, under certain conditions, poison cached manifests to push malicious Kubernetes resources into managed clusters, enabling full cluster takeover. The root cause is missing authentication (CWE-306) on a critical internal service that the default Helm chart left network-exposed. There is no public exploit identified at time of analysis, but detailed third-party technical research (Synacktiv) and press coverage exist, and the flaw was reported unpatched at disclosure.

Authentication Bypass Red Hat RCE +5
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Insecure-default configuration in the Argo CD (argoproj/argo-helm) Helm chart before 10.0.0 ships without any Kubernetes NetworkPolicy, so every pod sharing the cluster can reach the repo-server and other internal Argo CD APIs that are normally meant to be isolated. A low-privileged workload that an attacker already controls can chain this unrestricted intra-cluster access into full cluster compromise and remote code execution. Reported by VulnCheck; no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor rates real-world impact high (CVSS 4.0 base 8.6).

RCE Argo Helm
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy