Argoproj Argo-Cd vulnerabilities
42 known vulnerabilities affecting argoproj/argo-cd.
Total CVEs
42
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL7HIGH14MEDIUM21
Vulnerabilities
Page 1 of 3
CVE-2025-55190P1CRITICALCVSS 9.9ExploitedPoCv>= 2.13.0, < 2.13.9v>= 2.14.0, < 2.14.16+2 more2025-09-04
CVE-2025-55190 [CRITICAL] CWE-200 CVE-2025-55190: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even
nvd
CVE-2024-37152P2HIGHCVSS 7.5PoCv>= 2.9.3, < 2.9.17v>= 2.10.0, < 2.10.12+1 more2024-06-06
CVE-2024-37152 [HIGH] CWE-287 CVE-2024-37152: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows u
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
nvd
CVE-2022-29165P2CRITICALCVSS 10.0v>= 1.4.0, < 2.1.15v>= 2.2.0, < 2.2.9+1 more2022-05-20
CVE-2022-29165 [CRITICAL] CWE-200 CVE-2022-29165: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability h
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafte
nvd
CVE-2026-42880P2CRITICALCVSS 9.6v>= 3.2.0, < 3.2.11v>= 3.3.0, < 3.3.92026-05-07
CVE-2026-42880 [CRITICAL] CWE-200 CVE-2026-42880: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to bef
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes A
nvd
CVE-2024-21652P3CRITICALCVSS 9.8fixed in 2.8.13v>= 2.9.0, < 2.9.9+1 more2024-03-18
CVE-2024-21652 [CRITICAL] CWE-307 CVE-2024-21652: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13,
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vul
nvd
CVE-2024-31989P3CRITICALCVSS 9.0fixed in 2.8.19v>= 2.9.0-rc1, < 2.9.15+3 more2024-05-21
CVE-2024-31989 [CRITICAL] CWE-327 CVE-2024-31989: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered tha
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configurat
nvd
CVE-2022-24768P3HIGHCVSS 8.8v>= 0.5.0, < 2.1.14v>= 2.2.0, < 2.2.8+1 more2022-03-23
CVE-2022-24768 [HIGH] CWE-200 CVE-2022-24768: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All unpatched versions of
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All unpatched versions of Argo CD starting with 1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level. Versions starting with 0.8.0 and 0.5.0 contain limited versions of this issue. To perform exp
nvd
CVE-2023-22482P3HIGHCVSS 8.8v>= 1.8.2, < 2.3.13v>= 2.4.0-rc1, < 2.4.19+2 more2023-01-26
CVE-2023-22482 [HIGH] CWE-863 CVE-2023-22482: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starti
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an `aud` (audience) claim in signed tokens. The value of that clai
nvd
CVE-2023-40029P3CRITICALCVSS 9.6v>= 2.2.0, < 2.6.15v>= 2.7.0, < 2.7.14+1 more2023-09-07
CVE-2023-40029 [CRITICAL] CWE-200 CVE-2023-40029: Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be mana
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored in`kubectl.kubernetes.io/last-applied-configuration` annotation. pull request #7139 introduced the ability to manage cluster labels and annotations. Since c
nvd
CVE-2023-23947P3HIGHCVSS 8.5v>= 2.3.0-rc1, < 2.3.17v>= 2.4.0, < 2.4.23+2 more2023-02-16
CVE-2023-23947 [HIGH] CWE-863 CVE-2023-23947: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions start
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret. The attacker could use this acce
nvd
CVE-2023-22736P3HIGHCVSS 8.5v>= 2.5.0=rc1, < 2.5.8v= 2.6.0-rc4, < 2.6.0-rc52023-01-26
CVE-2023-22736 [HIGH] CWE-862 CVE-2023-22736: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces. Reconciled Application namespaces are specifie
nvd
CVE-2022-31105P3CRITICALCVSS 9.6v>= 0.4.0, < 2.2.11v>= 2.3.0, < 2.3.6+1 more2022-07-12
CVE-2022-31105 [CRITICAL] CWE-295 CVE-2022-31105: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with vers
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A patch for this vulnerability has be
nvd
CVE-2025-59531P3HIGHCVSS 7.5v>= 1.2.0, <= 1.8.7v>= 2.0.0-rc1, < 2.14.20+3 more2025-10-01
CVE-2025-59531 [HIGH] CWE-703 CVE-2025-59531: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret,
nvd
CVE-2025-59538P3HIGHCVSS 7.5v>= 2.9.0-rc1, < 2.14.20v>= 3.2.0-rc1, < 3.2.0-rc2+2 more2025-10-01
CVE-2025-59538 [HIGH] CWE-248 CVE-2025-59538: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 thr
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it rece
nvd
CVE-2022-31034P3HIGHCVSS 8.1v>= 0.11.0, < 2.1.16v>= 2.2.0, < 2.2.10+2 more2022-06-27
CVE-2022-31034 [HIGH] CWE-330 CVE-2022-31034: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD st
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a
nvd
CVE-2020-8827P3HIGHCVSS 7.5fixed in 2.8.13v>= 2.9.0, < 2.9.9+1 more2020-04-08
CVE-2020-8827 [HIGH] CWE-307 CVE-2020-8827: As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, accoun
As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence.
nvd
CVE-2025-59537P3HIGHCVSS 7.5v>= 1.2.0, <= 1.8.7v>= 2.0.0-rc1, < 2.14.20+3 more2025-10-01
CVE-2025-59537 [HIGH] CWE-20 CVE-2025-59537: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret
nvd
CVE-2024-40634P3HIGHCVSS 7.5v>= 1.0.0, < 2.9.20v>= 2.10.0, < 2.10.15+1 more2024-07-22
CVE-2024-40634 [HIGH] CWE-400 CVE-2024-40634: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a secu
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill
nvd
CVE-2024-22424P3HIGHCVSS 8.3v>= 0.1.0, < 2.7.15v>= 2.8.0, < 2.8.8+2 more2024-01-19
CVE-2024-22424 [HIGH] CWE-352 CVE-2024-22424: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The Argo CD API prior to v
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15 are vulnerable to a cross-server request forgery (CSRF) attack when the attacker has the ability to write HTML to a page on the same parent domain as Argo CD. A CSRF attack works by tricking an authenticated Ar
nvd
CVE-2024-21661P3HIGHCVSS 7.5fixed in 2.8.13v>= 2.9.0, < 2.9.9+1 more2024-03-18
CVE-2024-21661 [HIGH] CWE-787 CVE-2024-21661: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13,
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-thr
nvd
1 / 3Next →