JavaScript Execution Vulnerability in Argo CD by Argo Project
CVE-2026-45738

7.3HIGH

Key Information:

Vendor

Argoproj

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-45738?

Argo CD is a GitOps continuous delivery tool for Kubernetes. Users with application write access can exploit a vulnerability that allows them to set unchecked annotations, which can render potentially harmful JavaScript code in higher-privileged user sessions. This scenario occurs due to the lack of URL validation in the application summaries. The vulnerability was addressed in versions 3.2.12, 3.3.10, and 3.4.2, ensuring better security for deployments.

Affected Version(s)

argo-cd < 3.2.12 < 3.2.12

argo-cd >= 3.3.0, < 3.3.10 < 3.3.0, 3.3.10

argo-cd >= 3.4.0-rc1, < 3.4.2 < 3.4.0-rc1, 3.4.2

References

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.