Missing Authorization and Data-Masking in Argo CD by Intuit
CVE-2026-42880
9.6CRITICAL
What is CVE-2026-42880?
A vulnerability in Argo CD, a GitOps continuous delivery tool for Kubernetes, has been identified where a missing authorization and data-masking gap exists in the ServerSideDiff endpoint. This flaw affects versions 3.2.0 prior to 3.2.11 and 3.3.0 prior to 3.3.9, enabling attackers with read-only access to exploit the Kubernetes API server's Server-Side Apply dry-run mechanism. By leveraging this issue, attackers can extract plaintext Kubernetes Secret data from etcd, compromising sensitive information. The vulnerability has been addressed in subsequent releases, specifically versions 3.2.11 and 3.3.9.
Affected Version(s)
argo-cd >= 3.2.0, < 3.2.11 < 3.2.0, 3.2.11
argo-cd >= 3.3.0, < 3.3.9 < 3.3.0, 3.3.9
