Argoproj Argo Cd vulnerabilities
56 known vulnerabilities affecting argoproj/argo_cd.
Total CVEs
56
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL8HIGH20MEDIUM28
Vulnerabilities
Page 1 of 3
CVE-2025-55190P1CRITICALCVSS 9.9ExploitedPoC≥ 2.2.0, < 2.13.9≥ 2.14.0, < 2.14.16+2 more2025-09-04
CVE-2025-55190 [CRITICAL] CWE-200 CVE-2025-55190: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even
nvd
CVE-2024-37152P2HIGHCVSS 7.5PoC≥ 2.9.3, < 2.9.17≥ 2.10.0, < 2.10.12+1 more2024-06-06
CVE-2024-37152 [HIGH] CWE-287 CVE-2024-37152: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows u
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
nvd
CVE-2022-29165P2CRITICALCVSS 10.0≥ 1.4.0, < 2.1.15≥ 2.2.0, < 2.2.9+1 more2022-05-20
CVE-2022-29165 [CRITICAL] CWE-200 CVE-2022-29165: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability h
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafte
nvd
CVE-2026-42880P2CRITICALCVSS 9.6≥ 3.2.0, < 3.2.11≥ 3.3.0, < 3.3.92026-05-07
CVE-2026-42880 [CRITICAL] CWE-200 CVE-2026-42880: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to bef
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes A
nvd
CVE-2024-21652P3CRITICALCVSS 9.8fixed in 2.8.13≥ 2.9.0, < 2.9.9+1 more2024-03-18
CVE-2024-21652 [CRITICAL] CWE-307 CVE-2024-21652: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13,
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vul
nvd
CVE-2024-31989P3CRITICALCVSS 9.0fixed in 2.8.19≥ 2.9.0, < 2.9.15+2 more2024-05-21
CVE-2024-31989 [CRITICAL] CWE-327 CVE-2024-31989: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered tha
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configurat
nvd
CVE-2024-21662P3CRITICALCVSS 9.1fixed in 2.8.13≥ 2.9.0, < 2.9.9+1 more2024-03-18
CVE-2024-21662 [CRITICAL] CVE-2024-21662: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13,
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin acco
nvd
CVE-2022-24768P3HIGHCVSS 8.8≥ 0.5.0, < 2.1.14≥ 2.2.0, < 2.2.8+1 more2022-03-23
CVE-2022-24768 [HIGH] CWE-200 CVE-2022-24768: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All unpatched versions of
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All unpatched versions of Argo CD starting with 1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level. Versions starting with 0.8.0 and 0.5.0 contain limited versions of this issue. To perform exp
nvd
CVE-2023-22482P3HIGHCVSS 8.8≥ 1.8.2, < 2.3.14≥ 2.4.0, < 2.4.20+2 more2023-01-26
CVE-2023-22482 [HIGH] CWE-863 CVE-2023-22482: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starti
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an `aud` (audience) claim in signed tokens. The value of that clai
nvd
CVE-2023-40029P3CRITICALCVSS 9.6≥ 2.2.0, < 2.6.15≥ 2.7.0, < 2.7.14+1 more2023-09-07
CVE-2023-40029 [CRITICAL] CWE-200 CVE-2023-40029: Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be mana
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored in`kubectl.kubernetes.io/last-applied-configuration` annotation. pull request #7139 introduced the ability to manage cluster labels and annotations. Since c
nvd
CVE-2020-8828P3HIGHCVSS 8.8fixed in 1.5.02020-04-08
CVE-2020-8828 [HIGH] CWE-287 CVE-2020-8828: As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with acc
As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be kept secret and could wind up just about anywhere.
nvd
CVE-2023-23947P3HIGHCVSS 8.5≥ 2.3.0, < 2.3.17≥ 2.4.0, < 2.4.23+2 more2023-02-16
CVE-2023-23947 [HIGH] CWE-863 CVE-2023-23947: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions start
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret. The attacker could use this acce
nvd
CVE-2023-22736P3HIGHCVSS 8.5≥ 2.5.0, < 2.5.8v2.6.02023-01-26
CVE-2023-22736 [HIGH] CWE-862 CVE-2023-22736: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces. Reconciled Application namespaces are specifie
nvd
CVE-2022-31105P3CRITICALCVSS 9.6≥ 2.3.0, < 2.3.6≥ 2.4.0, < 2.4.52022-07-12
CVE-2022-31105 [CRITICAL] CWE-295 CVE-2022-31105: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with vers
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A patch for this vulnerability has be
nvd
CVE-2022-1025P3HIGHCVSS 8.8≥ 0.5.0, ≤ 2.1.12≥ 2.2.0, ≤ 2.2.7+1 more2022-07-12
CVE-2022-1025 [HIGH] CWE-284 CVE-2022-1025: All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to an improper access control
All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level.
nvd
CVE-2025-59531P3HIGHCVSS 7.5≥ 1.2.0, ≤ 1.8.7≥ 2.0.0, < 2.14.20+3 more2025-10-01
CVE-2025-59531 [HIGH] CWE-703 CVE-2025-59531: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret,
nvd
CVE-2025-59538P3HIGHCVSS 7.5≥ 2.9.0, < 2.14.20≥ 3.0.0, < 3.0.19+2 more2025-10-01
CVE-2025-59538 [HIGH] CWE-248 CVE-2025-59538: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 thr
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it rece
nvd
CVE-2020-8826P3HIGHCVSS 7.5≤ 1.5.02020-04-08
CVE-2020-8826 [HIGH] CWE-384 CVE-2020-8826: As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication t
As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication.
nvd
CVE-2022-24348P3HIGHCVSS 7.7fixed in 2.1.9≥ 2.2.0, < 2.2.42022-02-04
CVE-2022-24348 [HIGH] CWE-22 CVE-2022-24348: Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts becaus
Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. For example, an attacker may be able to discover credentials stored in a YAML file.
nvd
CVE-2022-31034P3HIGHCVSS 8.1≥ 0.11.0, < 2.1.16v2.2.9+2 more2022-06-27
CVE-2022-31034 [HIGH] CWE-330 CVE-2022-31034: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD st
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a
nvd
1 / 3Next →