Exposed Kubernetes Secret Values in Argo CD Continuous Delivery Tool
CVE-2026-45737

6.3MEDIUM

Key Information:

Vendor

Argoproj

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-45737?

Argo CD, a GitOps continuous delivery tool for Kubernetes, contains a vulnerability where the ServerSideDiff feature can inadvertently expose sensitive Kubernetes Secret values. This occurs due to improper sanitization in the ResourceDiff.TargetState and LiveState implementations, allowing sensitive data, including stringData and annotations, to be visible in both UI and CLI diffs. Users running versions 3.2.0 through 3.2.12, 3.3.10, and 3.4.2 are affected. Mitigation is available in newer releases, specifically 3.2.12, 3.3.10, and 3.4.2, which address this issue and enhance data security.

Affected Version(s)

argo-cd >= 3.2.0, < 3.2.12 < 3.2.0, 3.2.12

argo-cd >= 3.3.9, < 3.3.10 < 3.3.9, 3.3.10

argo-cd >= 3.4.1, < 3.4.2 < 3.4.1, 3.4.2

References

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.