Argo Helm
Monthly
Remote code execution in the Argo CD repo-server component (as shipped in Red Hat OpenShift GitOps and the argoproj argo-helm chart) allows an unauthenticated attacker with network access to the repo-server to run arbitrary code and, under certain conditions, poison cached manifests to push malicious Kubernetes resources into managed clusters, enabling full cluster takeover. The root cause is missing authentication (CWE-306) on a critical internal service that the default Helm chart left network-exposed. There is no public exploit identified at time of analysis, but detailed third-party technical research (Synacktiv) and press coverage exist, and the flaw was reported unpatched at disclosure.
Insecure-default configuration in the Argo CD (argoproj/argo-helm) Helm chart before 10.0.0 ships without any Kubernetes NetworkPolicy, so every pod sharing the cluster can reach the repo-server and other internal Argo CD APIs that are normally meant to be isolated. A low-privileged workload that an attacker already controls can chain this unrestricted intra-cluster access into full cluster compromise and remote code execution. Reported by VulnCheck; no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor rates real-world impact high (CVSS 4.0 base 8.6).
Remote code execution in the Argo CD repo-server component (as shipped in Red Hat OpenShift GitOps and the argoproj argo-helm chart) allows an unauthenticated attacker with network access to the repo-server to run arbitrary code and, under certain conditions, poison cached manifests to push malicious Kubernetes resources into managed clusters, enabling full cluster takeover. The root cause is missing authentication (CWE-306) on a critical internal service that the default Helm chart left network-exposed. There is no public exploit identified at time of analysis, but detailed third-party technical research (Synacktiv) and press coverage exist, and the flaw was reported unpatched at disclosure.
Insecure-default configuration in the Argo CD (argoproj/argo-helm) Helm chart before 10.0.0 ships without any Kubernetes NetworkPolicy, so every pod sharing the cluster can reach the repo-server and other internal Argo CD APIs that are normally meant to be isolated. A low-privileged workload that an attacker already controls can chain this unrestricted intra-cluster access into full cluster compromise and remote code execution. Reported by VulnCheck; no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor rates real-world impact high (CVSS 4.0 base 8.6).