CVE-2026-45737
published 2026-05-19CVE-2026-45737: Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations ### Summary The original fix for…
medium
Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations ### Summary The original fix for [GHSA-3v3m-wc6v-x4x3](https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3) is incomplete. argocd app diff --server-side-diff can still expose Kubernetes Secret values embedded in the kubectl.kubernetes.io/last-applied-configuration annotation. The prior fix masks top-level Secret data in ServerSideDiff responses, but it does not fully sanitize Secret data stored inside the last-applied-configuration annotation. If a Secret was previously created or updated using client-side apply, that annotation may contain raw data, stringData, and sensitive annotations. These values can be shown in UI/CLI diffs. ### Details The ServerSideDiff endpoint returns ResourceDiff.TargetState / LiveState based on server-side dry-run output. Kubernetes server-side dry-run can return a full predicted live Secret object that carries forward existing live annotations, including: kubectl.kubernetes.io/last-applied-configuration For Secrets created with client-side apply, that annotation can contain a JSON-serialized Secret manifest with sensitive values. The masking path calls HideSecretData(target, live, ...). However, HideSecretData only rewrites the last-applied annotation on the second argument (live). In server-side diff, the first argument can be predictedLive, not a clean Git target. predictedLive can also contain kubectl.kubernetes.io/last-applied-configuration, so the first object’s embedded annotation can remain unmasked. ### PoC Create an app containing this Secret manifest: ```yaml apiVersion: v1 kind: Namespace metadata: name: last-applied-secret-repro --- apiVersion: v1 kind: Secret metadata: name: secret namespace: last-applied-secret-repro annotations: app: test token: SECRETVAL type: Opaque data: password: U0VDUkVUVkFM username: U0VDUkVUVkFM ``` Create and Sync Argo App ```yaml apiVersion: argoproj.io/v1alpha1 kind: Applicatio
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | argoproj_argo-cd_v3 | >= 3.2.0 < 3.2.12 | 3.2.12 |
| github.com | argoproj_argo-cd_v3 | >= 3.3.0-rc1 < 3.3.10 | 3.3.10 |
| github.com | argoproj_argo-cd_v3 | >= 3.4.0-rc1 < 3.4.2 | 3.4.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-19
Published