Github.Com Argoproj Argo-Cd vulnerabilities
34 known vulnerabilities affecting github.com/argoproj_argo-cd.
Total CVEs
34
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL8HIGH13MEDIUM11LOW1UNKNOWN1
Vulnerabilities
Page 2 of 2
CVE-2022-31016P4MEDIUM≥ 0.7.0, < 2.1.162022-06-21
CVE-2022-31016 [MEDIUM] CWE-400 DoS through large manifest files in Argo CD
DoS through large manifest files in Argo CD
### Impact
All versions of Argo CD starting with v0.7.0 are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the [repo-server](https://argo-cd.readthedocs.io/en/stable/operator-manual/architecture/#repository-server) service. The repo-server is a critical component of Argo CD, so crashing the repo-server effectively denies c
ghsaosv
CVE-2022-24731P4MEDIUM≥ 1.5.0, < 2.1.11≥ 2.2.0, < 2.2.6+1 more2022-03-24
CVE-2022-24731 [MEDIUM] CWE-209 Path traversal allows leaking out-of-bound files from Argo CD repo-server
Path traversal allows leaking out-of-bound files from Argo CD repo-server
### Impact
All unpatched versions of Argo CD starting with v1.5.0 are vulnerable to a path traversal vulnerability allowing a malicious user with read/write access to leak sensitive files from Argo CD's repo-server.
A malicious Argo CD user who has been granted [`create` or `update` access to Applications](https://a
ghsaosv
CVE-2022-31102P4LOW≥ 2.3.0, < 2.3.6≥ 2.4.0, < 2.4.52022-07-12
CVE-2022-31102 [LOW] CWE-79 Argo CD SSO users vulnerable to Cross-site Scripting
Argo CD SSO users vulnerable to Cross-site Scripting
### Impact
All versions of Argo CD starting with 2.3.0 are vulnerable to a cross-site scripting (XSS) bug which could allow an attacker to inject arbitrary JavaScript in the `/auth/callback` page in a victim's browser.
This vulnerability only affects Argo CD instances which have SSO enabled.
The exploit also assumes the attacker has 1) access to the API server
ghsaosv
CVE-2025-47933P4CRITICAL≥ 1.2.0-rc1, ≤ 1.8.72025-05-28
CVE-2025-47933 [CRITICAL] CWE-79 Argo CD allows cross-site scripting on repositories page
Argo CD allows cross-site scripting on repositories page
### Impact
This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository.
In `ui/src/app/s
ghsaosv
CVE-2020-11576P4MEDIUM≥ 1.5.0, < 1.5.12021-12-09
CVE-2020-11576 [MEDIUM] CWE-203 Observable Discrepancy in Argo
Observable Discrepancy in Argo
Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise.
### Specific Go Packages Affected
github.com/argoproj/argo-cd/util/session
github.com/argoproj/argo-cd/server/session
ghsaosv
CVE-2022-31035P4CRITICAL≥ 1.0.0, < 2.1.162022-06-21
CVE-2022-31035 [CRITICAL] CWE-79 Argo CD's external URLs for Deployments can include JavaScript
Argo CD's external URLs for Deployments can include JavaScript
### Impact
All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a `javascript:` link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin).
The script would be capable of doing an
ghsaosv
CVE-2024-28175P4CRITICAL≥ 1.0.0, ≤ 1.8.72024-03-15
CVE-2024-28175 [CRITICAL] CWE-79 Cross-site scripting on application summary component
Cross-site scripting on application summary component
### Summary
Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions.
### Impact
All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing
ghsaosv
CVE-2022-41354P4MEDIUM≥ 0.5.0, ≤ 1.8.72023-03-23
CVE-2022-41354 [MEDIUM] CWE-203 Argo CD authenticated but unauthorized users may enumerate Application names via the API
Argo CD authenticated but unauthorized users may enumerate Application names via the API
### Impact
All versions of Argo CD starting with v0.5.0 are vulnerable to an information disclosure bug allowing unauthorized users to enumerate application names by inspecting API error messages. An attacker could use the discovered application names as the starting point of another att
ghsaosv
CVE-2022-31036P4MEDIUM≥ 1.3.0, < 2.1.162022-06-21
CVE-2022-31036 [MEDIUM] CWE-20 Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server
Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server
### Impact
All unpatched versions of Argo CD starting with v1.3.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive YAML files from Argo CD's repo-server.
A malicious Argo CD user with write access for a repository which is (or may be)
ghsaosv
CVE-2023-40026P4MEDIUM≥ 0, ≤ 1.8.72023-09-27
CVE-2023-40026 [MEDIUM] CWE-22 Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server
Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server
### Impact
In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the same repo-server to leak values, or files from the referenced Helm Chart. This was possible b
ghsaosv
CVE-2022-24905P4MEDIUM≥ 0, < 2.1.152022-05-24
CVE-2022-24905 [MEDIUM] CWE-20 Login screen allows message spoofing if SSO is enabled
Login screen allows message spoofing if SSO is enabled
### Impact
A vulnerability was found in Argo CD that allows an attacker to spoof error messages on the login screen when SSO is enabled.
In order to exploit this vulnerability, an attacker would have to trick the victim to visit a specially crafted URL which contains the message to be displayed.
As far as the research of the Argo CD team concluded, it i
ghsaosv
CVE-2024-36106P4MEDIUM≥ 0.11.0, < 2.9.17≥ 2.10.0, < 2.10.12+1 more2024-06-06
CVE-2024-36106 [MEDIUM] CWE-209 Argo-cd authenticated users can enumerate clusters by name
Argo-cd authenticated users can enumerate clusters by name
### Impact
It’s possible for authenticated users to enumerate clusters by name by inspecting error messages:
```
$ curl -k 'https://localhost:8080/api/v1/clusters/in-cluster?id.type=name' -H "Authorization:
Bearer $token"
{"error":"permission denied: clusters, get, , sub: alice, iat: 2022-11-04T20:25:44Z","code":7,"message":"permission denied: cl
ghsaosv
CVE-2021-23347P4UNKNOWN≥ 0, < 1.7.13≥ 1.8.0, < 1.8.62024-08-21
CVE-2021-23347 Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd
Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd
Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd
osv
CVE-2026-45738HIGH≥ 0, ≤ 1.8.72026-05-19
CVE-2026-45738 [HIGH] CWE-79 Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation
Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation
### Summary
A user with **application write access (developer role)** can set `link.argocd.argoproj.io/*` annotations on any ArgoCD Application. These annotation values are rendered in the Summary tab's **URLs section** as `` elements without URL validation. Using the
ghsa
← Previous2 / 2