CVE-2026-45738
published 2026-05-19CVE-2026-45738: Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation ### Summary A user with **application write access…
high
Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation
### Summary
A user with **application write access (developer role)** can set `link.argocd.argoproj.io/*` annotations on any ArgoCD Application. These annotation values are rendered in the Summary tab's **URLs section** as `` elements without URL validation. Using the pipe-separator trick (`Display Text | javascript:...`), an attacker can inject a `javascript:` URI while displaying a legitimate-looking label (e.g. `GitHub Repo`). When a higher-privileged user (admin) clicks the link, **arbitrary JavaScript executes in the ArgoCD origin context** in the admin's authenticated session context, enabling API exfiltration and privilege escalation from developer to admin.
### Details
**Vulnerable sink:** `ui/src/app/applications/components/application-summary/application-summary.tsx:277`
```tsx
const parts = (url || '').split('|');
1 ? parts[1] : parts[0]} target='_blank'>
{parts[0]}
```
The annotation value is split on `|`. `parts[0]` becomes the visible link label; `parts[1]` becomes the `href`. **No call to `isValidURL()` is made**, unlike the protected `ApplicationURLs` component (`application-urls.tsx:72,80`) which does validate URLs and blocks `javascript:`. The `target='_blank'` opens a new tab that inherits the ArgoCD origin, giving the injected script same-origin fetch access to all ArgoCD APIs using the victim's authenticated session (credentialed `fetch()` calls).
**Root cause:** React 16.x does not block `javascript:` URIs in `href` attributes (this protection was added in React 19). The helper `isValidURL()` exists in `shared/utils.ts` but is **not applied** to this sink.
**CSP:** ArgoCD's default Content Security Policy is `frame-ancestors 'self'` only — no `script-src`, no `connect-src`, no `default-src` — providing **zero XSS execution mitigation**.
### PoC
**Prerequisites:** Developer role with application write access (e.g. RBAC: `p, role:developAffected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | argoproj_argo-cd | 0 – 1.8.7 | — |
| github.com | argoproj_argo-cd_v2 | 0 – 2.14.21 | — |
| github.com | argoproj_argo-cd_v3 | >= 0 < 3.2.12 | 3.2.12 |
| github.com | argoproj_argo-cd_v3 | >= 3.3.0-rc1 < 3.3.10 | 3.3.10 |
| github.com | argoproj_argo-cd_v3 | >= 3.4.0-rc1 < 3.4.2 | 3.4.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-19
Published