CVE-2026-42880
published 2026-05-07CVE-2026-42880: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing…
PriorityP265critical9.6CVSS 3.1
AVNACLPRLUINSCCHIHAN
EPSS
0.51%
39.3th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo_cd | >= 3.2.0 < 3.2.11 | 3.2.11 |
| argoproj | argo_cd | >= 3.3.0 < 3.3.9 | 3.3.9 |
| github.com | argoproj_argo-cd_v3 | >= 3.2.0 < 3.2.11 | 3.2.11 |
| github.com | argoproj_argo-cd_v3 | >= 3.3.0 < 3.3.9 | 3.3.9 |
| odf4 | odf-multicluster-rhel9-operator | — | — |
| openshift-gitops-1 | argocd-agent-rhel8 | — | — |
| openshift-gitops-1 | argocd-agent-rhel9 | — | — |
| openshift-gitops-1 | argocd-image-updater-rhel8 | — | — |
| openshift-gitops-1 | argocd-image-updater-rhel9 | — | — |
| openshift-gitops-1 | argocd-rhel8 | — | — |
| openshift-gitops-1 | argocd-rhel9_1776942799 | — | — |
| openshift-gitops-1 | gitops-rhel8 | — | — |
| openshift-gitops-1 | gitops-rhel8-operator | — | — |
| openshift-gitops-1 | gitops-rhel9 | — | — |
| openshift-gitops-1 | gitops-rhel9-operator | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthorized or anomalous requests to the Argo CD ServerSideDiff endpoint, especially from accounts with read-only access, as this endpoint can be abused to extract plaintext Kubernetes Secret data via Server-Side Apply dry-run mechanism. ↗
- →Audit Argo CD access logs for read-only users invoking the ServerSideDiff endpoint, which should not normally return Secret values; unexpected Secret data in responses may indicate active exploitation. ↗
- ·Red Hat has confirmed no mitigation is currently available for affected Red Hat OpenShift GitOps and ODF packages; patching is the only remediation path. ↗
- ·Multiple Red Hat container images are affected, including argocd-agent-rhel8/9, argocd-image-updater-rhel8/9, argocd-rhel8, gitops-rhel8/9, gitops-rhel8/9-operator, and odf-multicluster-rhel9-operator. ↗
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vendor_redhat9.6CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction
ghsa·2026-05-07
CVE-2026-42880 [CRITICAL] CWE-200 ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction
ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction
### Summary
There is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism.
### Details
Argo CD masks Secret data in every endpoint that returns Kubernetes resource state except one. All the other endpoints such as GetManifests, GetManifestsWithFiles, GetResource and PatchResource utilize hideSecretData() to mask the returned secret value. The vulnerable function ServerSideDiff gRPC/REST endpoint (/application.ApplicationService/ServerSideDiff) constructs its response with raw, unmasked PredictedLive and NormalizedLive states:
Red Hat
argoproj/argo-cd: Argo CD: Information disclosure of Kubernetes Secret data via Server-Side Apply dry-run mechanism
vendor_redhat·2026-05-07·CVSS 9.6
CVE-2026-42880 [CRITICAL] CWE-201 argoproj/argo-cd: Argo CD: Information disclosure of Kubernetes Secret data via Server-Side Apply dry-run mechanism
argoproj/argo-cd: Argo CD: Information disclosure of Kubernetes Secret data via Server-Side Apply dry-run mechanism
A flaw was found in Argo CD, a GitOps continuous delivery tool for Kubernetes. A missing authorization and data-masking gap in the ServerSideDiff endpoint allows an attacker with read-only access to extract sensitive Kubernetes Secret data. This information disclosure occurs by leveraging the Kubernetes API server's Server-Side Apply dry-run mechanism, potentially exposing critical configuration and credentials.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Package: odf4/odf-
No detection rules found.
No public exploits indexed.
https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3https://access.redhat.com/errata/RHBA-2026:12433https://access.redhat.com/errata/RHSA-2026:20943https://access.redhat.com/errata/RHSA-2026:20947https://access.redhat.com/security/cve/CVE-2026-42880https://bugzilla.redhat.com/show_bug.cgi?id=2467882https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42880.json
2026-05-07
Published