Exposed Kubernetes Secret Values in Argo CD Continuous Delivery Tool
CVE-2026-45737
6.3MEDIUM
What is CVE-2026-45737?
Argo CD, a GitOps continuous delivery tool for Kubernetes, contains a vulnerability where the ServerSideDiff feature can inadvertently expose sensitive Kubernetes Secret values. This occurs due to improper sanitization in the ResourceDiff.TargetState and LiveState implementations, allowing sensitive data, including stringData and annotations, to be visible in both UI and CLI diffs. Users running versions 3.2.0 through 3.2.12, 3.3.10, and 3.4.2 are affected. Mitigation is available in newer releases, specifically 3.2.12, 3.3.10, and 3.4.2, which address this issue and enhance data security.
Affected Version(s)
argo-cd >= 3.2.0, < 3.2.12 < 3.2.0, 3.2.12
argo-cd >= 3.3.9, < 3.3.10 < 3.3.9, 3.3.10
argo-cd >= 3.4.1, < 3.4.2 < 3.4.1, 3.4.2
