cbcvebase.

Argoproj Argo Cd vulnerabilities

56 known vulnerabilities affecting argoproj/argo_cd.

Total CVEs
56
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL8HIGH20MEDIUM28

Vulnerabilities

Page 2 of 3
CVE-2020-8827P3HIGHCVSS 7.5fixed in 1.5.02020-04-08
CVE-2020-8827 [HIGH] CWE-307 CVE-2020-8827: As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, accoun As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence.
nvd
CVE-2025-59537P3HIGHCVSS 7.5≥ 1.2.0, ≤ 1.8.7≥ 2.0.0, < 2.14.20+3 more2025-10-01
CVE-2025-59537 [HIGH] CWE-20 CVE-2025-59537: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8 Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret
nvd
CVE-2024-40634P3HIGHCVSS 7.5≥ 1.0.0, < 2.9.20≥ 2.10.0, < 2.10.15+1 more2024-07-22
CVE-2024-40634 [HIGH] CWE-400 CVE-2024-40634: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a secu Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill
nvd
CVE-2024-22424P3HIGHCVSS 8.3≥ 2.8.0, < 2.8.8≥ 2.9.0, < 2.9.4+1 more2024-01-19
CVE-2024-22424 [HIGH] CWE-352 CVE-2024-22424: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The Argo CD API prior to v Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15 are vulnerable to a cross-server request forgery (CSRF) attack when the attacker has the ability to write HTML to a page on the same parent domain as Argo CD. A CSRF attack works by tricking an authenticated Ar
nvd
CVE-2026-43824P3HIGHCVSS 7.7≥ 3.2.0, < 3.2.11≥ 3.3.0, < 3.3.92026-05-02
CVE-2026-43824 [HIGH] CWE-212 CVE-2026-43824: In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kuber In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data.
nvd
CVE-2021-26923P3HIGHCVSS 7.5fixed in 1.7.12≥ 1.8.0, < 1.8.42021-03-15
CVE-2021-26923 [HIGH] CWE-200 CVE-2021-26923: An issue was discovered in Argo CD before 1.8.4. Accessing the endpoint /api/version leaks internal An issue was discovered in Argo CD before 1.8.4. Accessing the endpoint /api/version leaks internal information for the system, and this endpoint is not protected with authentication.
nvd
CVE-2024-21661P3HIGHCVSS 7.5fixed in 2.8.13≥ 2.9.0, < 2.9.9+1 more2024-03-18
CVE-2024-21661 [HIGH] CWE-787 CVE-2024-21661: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-thr
nvd
CVE-2022-24730P3MEDIUMCVSS 6.5≥ 1.3.0, < 2.1.11≥ 2.2.0, < 2.2.6+1 more2022-03-23
CVE-2022-24730 [MEDIUM] CWE-22 CVE-2022-24730: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with vers Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.3.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal bug, compounded by an improper access control bug, allowing a malicious user with read-only repository access to leak sensitive files from Argo CD's repo-server. A
nvd
CVE-2024-31990P3MEDIUMCVSS 6.3≥ 2.4.0, < 2.8.16≥ 2.9.0, < 2.9.12+1 more2024-04-15
CVE-2024-31990 [MEDIUM] CWE-863 CVE-2024-31990: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not en Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.
nvd
CVE-2023-40025P3HIGHCVSS 7.1≥ 2.6.0, ≤ 2.6.13v2.7.11+1 more2023-08-23
CVE-2023-40025 [HIGH] CWE-613 CVE-2023-40025: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD st Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and
nvd
CVE-2024-41666P3MEDIUMCVSS 6.5≥ 2.6.0, < 2.9.21≥ 2.10.0, < 2.10.16+1 more2024-07-24
CVE-2024-41666 [MEDIUM] CWE-269 CVE-2024-41666: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based te Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and grants permission to the user `p, role:myrole, exec, create, */*, allow`, e
nvd
CVE-2023-40584P3MEDIUMCVSS 6.5≥ 2.4.0, < 2.6.15≥ 2.7.0, < 2.7.14+1 more2023-09-07
CVE-2023-40584 [MEDIUM] CWE-400 CVE-2023-40584: Argo CD is a declarative continuous deployment for Kubernetes. All versions of ArgoCD starting from Argo CD is a declarative continuous deployment for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, the said component extracts a user-controlled tar.gz file without validating the size of its inner files. As a result, a malicious,
nvd
CVE-2023-25163P3MEDIUMCVSS 6.5v2.6.02023-02-08
CVE-2023-25163 [MEDIUM] CWE-532 CVE-2023-25163: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD st Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or updat
nvd
CVE-2023-50726P3MEDIUMCVSS 6.4≥ 1.2.0, < 2.8.12≥ 2.9.0, < 2.9.7+1 more2024-03-13
CVE-2023-50726 [MEDIUM] CWE-269 CVE-2023-50726: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git.
nvd
CVE-2024-29893P3MEDIUMCVSS 6.5≥ 2.4.0, < 2.8.14≥ 2.9.0, < 2.9.10+1 more2024-03-29
CVE-2024-29893 [MEDIUM] CWE-400 CVE-2024-29893: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD sta Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm regi
nvd
CVE-2021-3557P3MEDIUMCVSS 6.5fixed in 1.1.12022-02-16
CVE-2021-3557 [MEDIUM] CWE-732 CVE-2021-3557: A flaw was found in argocd. Any unprivileged user is able to deploy argocd in their namespace and wi A flaw was found in argocd. Any unprivileged user is able to deploy argocd in their namespace and with the created ServiceAccount argocd-argocd-server, the unprivileged user is able to read all resources of the cluster including all secrets which might enable privilege escalations. The highest threat from this vulnerability is to data confidentiality.
nvd
CVE-2018-21034P4MEDIUMCVSS 6.5≤ 1.4.22020-04-09
CVE-2018-21034 [MEDIUM] CWE-200 CVE-2018-21034: In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API cal In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git.
nvd
CVE-2025-23216P4MEDIUMCVSS 6.8fixed in 2.11.13≥ 2.12.0, < 2.12.10+1 more2025-01-30
CVE-2025-23216 [MEDIUM] CWE-200 CVE-2025-23216: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discov Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either in
nvd
CVE-2022-31016P4MEDIUMCVSS 6.5≥ 0.7.0, < 2.1.16≥ 2.2.0, < 2.2.10+2 more2022-06-25
CVE-2022-31016 [MEDIUM] CWE-400 CVE-2022-31016: Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from
nvd
CVE-2021-26921P4MEDIUMCVSS 6.5fixed in 1.7.12≥ 1.8.0, < 1.8.42021-02-09
CVE-2021-26921 [MEDIUM] CWE-613 CVE-2021-26921: In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens continue to work even when the use In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens continue to work even when the user account is disabled.
nvd
Argoproj Argo Cd vulnerabilities | cvebase