Missing Authorization and Data-Masking in Argo CD by Intuit
CVE-2026-42880

9.6CRITICAL

Key Information:

Vendor

Argoproj

Status
Vendor
CVE Published:
7 May 2026

What is CVE-2026-42880?

A vulnerability in Argo CD, a GitOps continuous delivery tool for Kubernetes, has been identified where a missing authorization and data-masking gap exists in the ServerSideDiff endpoint. This flaw affects versions 3.2.0 prior to 3.2.11 and 3.3.0 prior to 3.3.9, enabling attackers with read-only access to exploit the Kubernetes API server's Server-Side Apply dry-run mechanism. By leveraging this issue, attackers can extract plaintext Kubernetes Secret data from etcd, compromising sensitive information. The vulnerability has been addressed in subsequent releases, specifically versions 3.2.11 and 3.3.9.

Affected Version(s)

argo-cd >= 3.2.0, < 3.2.11 < 3.2.0, 3.2.11

argo-cd >= 3.3.0, < 3.3.9 < 3.3.0, 3.3.9

References

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.