cbcvebase.
CVE-2026-42880
published 2026-05-07

CVE-2026-42880: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing…

PriorityP265critical9.6CVSS 3.1
AVNACLPRLUINSCCHIHAN
EPSS
0.51%
39.3th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.

Affected

17 ranges
VendorProductVersion rangeFixed in
argoprojargo-cd
argoprojargo-cd
argoprojargo_cd>= 3.2.0 < 3.2.113.2.11
argoprojargo_cd>= 3.3.0 < 3.3.93.3.9
github.comargoproj_argo-cd_v3>= 3.2.0 < 3.2.113.2.11
github.comargoproj_argo-cd_v3>= 3.3.0 < 3.3.93.3.9
odf4odf-multicluster-rhel9-operator
openshift-gitops-1argocd-agent-rhel8
openshift-gitops-1argocd-agent-rhel9
openshift-gitops-1argocd-image-updater-rhel8
openshift-gitops-1argocd-image-updater-rhel9
openshift-gitops-1argocd-rhel8
openshift-gitops-1argocd-rhel9_1776942799
openshift-gitops-1gitops-rhel8
openshift-gitops-1gitops-rhel8-operator
openshift-gitops-1gitops-rhel9
openshift-gitops-1gitops-rhel9-operator

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for unauthorized or anomalous requests to the Argo CD ServerSideDiff endpoint, especially from accounts with read-only access, as this endpoint can be abused to extract plaintext Kubernetes Secret data via Server-Side Apply dry-run mechanism.
  • Audit Argo CD access logs for read-only users invoking the ServerSideDiff endpoint, which should not normally return Secret values; unexpected Secret data in responses may indicate active exploitation.
  • ·Red Hat has confirmed no mitigation is currently available for affected Red Hat OpenShift GitOps and ODF packages; patching is the only remediation path.
  • ·Multiple Red Hat container images are affected, including argocd-agent-rhel8/9, argocd-image-updater-rhel8/9, argocd-rhel8, gitops-rhel8/9, gitops-rhel8/9-operator, and odf-multicluster-rhel9-operator.

CVSS provenance

nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vendor_redhat9.6CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.