cbcvebase.
CVE-2026-45737
published 2026-05-19

CVE-2026-45737: Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations ### Summary The original fix for…

medium
Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations

### Summary
The original fix for [GHSA-3v3m-wc6v-x4x3](https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3) is incomplete. argocd app diff --server-side-diff can still expose Kubernetes Secret values embedded in the kubectl.kubernetes.io/last-applied-configuration annotation.

The prior fix masks top-level Secret data in ServerSideDiff responses, but it does not fully sanitize Secret data stored inside the last-applied-configuration annotation. If a Secret was previously created or updated using client-side apply, that annotation may contain raw data, stringData, and sensitive annotations. These values can be shown in UI/CLI diffs.

### Details
The ServerSideDiff endpoint returns ResourceDiff.TargetState / LiveState based on server-side dry-run output. Kubernetes server-side dry-run can return a full predicted live Secret object that carries forward existing live annotations, including:

kubectl.kubernetes.io/last-applied-configuration
For Secrets created with client-side apply, that annotation can contain a JSON-serialized Secret manifest with sensitive values.

The masking path calls HideSecretData(target, live, ...). However, HideSecretData only rewrites the last-applied annotation on the second argument (live). In server-side diff, the first argument can be predictedLive, not a clean Git target. predictedLive can also contain kubectl.kubernetes.io/last-applied-configuration, so the first object’s embedded annotation can remain unmasked.

### PoC
Create an app containing this Secret manifest:
```yaml
apiVersion: v1
kind: Namespace
metadata:
name: last-applied-secret-repro
---
apiVersion: v1
kind: Secret
metadata:
name: secret
namespace: last-applied-secret-repro
annotations:
app: test
token: SECRETVAL
type: Opaque
data:
password: U0VDUkVUVkFM
username: U0VDUkVUVkFM
```
Create and Sync Argo App
```yaml
apiVersion: argoproj.io/v1alpha1
kind: Applicatio

Affected

3 ranges
VendorProductVersion rangeFixed in
github.comargoproj_argo-cd_v3>= 3.2.0 < 3.2.123.2.12
github.comargoproj_argo-cd_v3>= 3.3.0-rc1 < 3.3.103.3.10
github.comargoproj_argo-cd_v3>= 3.4.0-rc1 < 3.4.23.4.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.