CVE-2026-42880
CriticalCVSS 9.6Exploitation Probability (EPSS)
Low risk39th percentile — higher than 39% of all known CVEs
Summary
In Argo CD versions 3.2.0 to 3.2.10 and 3.3.0 to 3.3.8, there is a missing authorization and data-masking gap in the ServerSideDiff endpoint. This allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism.
Risk Assessment
The organization is at risk of leaking sensitive data stored in Kubernetes Secrets, such as passwords, tokens, or API keys, which could lead to unauthorized access to systems and security breaches.
Recommendation
Immediately upgrade Argo CD to version 3.2.11 or 3.3.9, depending on the branch in use. After the upgrade, rotate all Secrets that may have been accessible to the attacker.
Original NVD description (English source)
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.

