CVE Catalog

CVE-2026-42880

CriticalCVSS 9.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.51%

39th percentile — higher than 39% of all known CVEs

Summary

In Argo CD versions 3.2.0 to 3.2.10 and 3.3.0 to 3.3.8, there is a missing authorization and data-masking gap in the ServerSideDiff endpoint. This allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism.

Risk Assessment

The organization is at risk of leaking sensitive data stored in Kubernetes Secrets, such as passwords, tokens, or API keys, which could lead to unauthorized access to systems and security breaches.

Recommendation

Immediately upgrade Argo CD to version 3.2.11 or 3.3.9, depending on the branch in use. After the upgrade, rotate all Secrets that may have been accessible to the attacker.

Original NVD description (English source)

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS