cbcvebase.
CVE-2026-45738
published 2026-05-19

CVE-2026-45738: Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation ### Summary A user with **application write access…

high
Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation

### Summary

A user with **application write access (developer role)** can set `link.argocd.argoproj.io/*` annotations on any ArgoCD Application. These annotation values are rendered in the Summary tab's **URLs section** as `` elements without URL validation. Using the pipe-separator trick (`Display Text | javascript:...`), an attacker can inject a `javascript:` URI while displaying a legitimate-looking label (e.g. `GitHub Repo`). When a higher-privileged user (admin) clicks the link, **arbitrary JavaScript executes in the ArgoCD origin context** in the admin's authenticated session context, enabling API exfiltration and privilege escalation from developer to admin.

### Details

**Vulnerable sink:** `ui/src/app/applications/components/application-summary/application-summary.tsx:277`

```tsx
const parts = (url || '').split('|');
1 ? parts[1] : parts[0]} target='_blank'>
{parts[0]}

```

The annotation value is split on `|`. `parts[0]` becomes the visible link label; `parts[1]` becomes the `href`. **No call to `isValidURL()` is made**, unlike the protected `ApplicationURLs` component (`application-urls.tsx:72,80`) which does validate URLs and blocks `javascript:`. The `target='_blank'` opens a new tab that inherits the ArgoCD origin, giving the injected script same-origin fetch access to all ArgoCD APIs using the victim's authenticated session (credentialed `fetch()` calls).

**Root cause:** React 16.x does not block `javascript:` URIs in `href` attributes (this protection was added in React 19). The helper `isValidURL()` exists in `shared/utils.ts` but is **not applied** to this sink.

**CSP:** ArgoCD's default Content Security Policy is `frame-ancestors 'self'` only — no `script-src`, no `connect-src`, no `default-src` — providing **zero XSS execution mitigation**.

### PoC

**Prerequisites:** Developer role with application write access (e.g. RBAC: `p, role:develop

Affected

5 ranges
VendorProductVersion rangeFixed in
github.comargoproj_argo-cd0 – 1.8.7
github.comargoproj_argo-cd_v20 – 2.14.21
github.comargoproj_argo-cd_v3>= 0 < 3.2.123.2.12
github.comargoproj_argo-cd_v3>= 3.3.0-rc1 < 3.3.103.3.10
github.comargoproj_argo-cd_v3>= 3.4.0-rc1 < 3.4.23.4.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.