cbcvebase.

Github.Com Argoproj Argo-Cd V3 vulnerabilities

9 known vulnerabilities affecting github.com/argoproj_argo-cd_v3.

Total CVEs
9
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL3HIGH4MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2025-55190P1CRITICALExploitedPoC≥ 0, < 3.0.14≥ 3.1.0-rc1, < 3.1.22025-09-04
CVE-2025-55190 [CRITICAL] CWE-200 Argo CD's Project API Token Exposes Repository Credentials Argo CD's Project API Token Exposes Repository Credentials ### Summary Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. Component: `Project API (/api/v1/projects/{project}/detai
ghsaosv
CVE-2026-42880P2CRITICAL≥ 3.2.0, < 3.2.11≥ 3.3.0, < 3.3.92026-05-07
CVE-2026-42880 [CRITICAL] CWE-200 ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction ### Summary There is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. ### Details Argo CD masks Secret data in every endpoint
ghsa
CVE-2025-59531P3HIGH≥ 3.2.0-rc1, < 3.2.0-rc2≥ 3.1.0-rc1, < 3.1.8+1 more2025-09-30
CVE-2025-59531 [HIGH] CWE-703 Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload ### Summary Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no `webhook.bitbucketserver.secret` set, Argo CD’s /api/webhook endpoint will crash the entire argocd-s
ghsaosv
CVE-2025-59538P3HIGH≥ 3.2.0-rc1, < 3.2.0-rc2≥ 3.1.0-rc1, < 3.1.8+1 more2025-09-30
CVE-2025-59538 [HIGH] CWE-248 Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook ### Summary In the default configuration, `webhook.azuredevops.username` and `webhook.azuredevops.password` not set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is acces
ghsaosv
CVE-2025-59537P3HIGH≥ 3.2.0-rc1, < 3.2.0-rc2≥ 3.1.0-rc1, < 3.1.8+1 more2025-09-30
CVE-2025-59537 [HIGH] CWE-20 argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload ### Summary Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no `webhook.gogs.secret` set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a G
ghsaosv
CVE-2025-55191P4MEDIUM≥ 3.2.0-rc1, < 3.2.0-rc2≥ 3.1.0-rc1, < 3.1.8+1 more2025-09-30
CVE-2025-55191 [MEDIUM] CWE-362 Repository Credentials Race Condition Crashes Argo CD Server Repository Credentials Race Condition Crashes Argo CD Server ### Summary A race condition in the repository credentials handler can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL. ### Details The vulnerability is located in numerous repository related handlers in the `util/db/repository_secrets.go` file. For example, in the `secretToRepo
ghsaosv
CVE-2025-47933P4CRITICAL≥ 0, < 3.0.42025-05-28
CVE-2025-47933 [CRITICAL] CWE-79 Argo CD allows cross-site scripting on repositories page Argo CD allows cross-site scripting on repositories page ### Impact This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. In `ui/src/app/s
ghsaosv
CVE-2026-45738HIGH≥ 0, < 3.2.12≥ 3.3.0-rc1, < 3.3.10+1 more2026-05-19
CVE-2026-45738 [HIGH] CWE-79 Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation ### Summary A user with **application write access (developer role)** can set `link.argocd.argoproj.io/*` annotations on any ArgoCD Application. These annotation values are rendered in the Summary tab's **URLs section** as `` elements without URL validation. Using the
ghsa
CVE-2026-45737MEDIUM≥ 3.2.0, < 3.2.12≥ 3.3.0-rc1, < 3.3.10+1 more2026-05-19
CVE-2026-45737 [MEDIUM] CWE-200 Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations ### Summary The original fix for [GHSA-3v3m-wc6v-x4x3](https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3) is incomplete. argocd app diff --server-side-diff can still expose Kubernetes Secret values embedded in the kubectl.kubernetes.io/last-applied-configuratio
ghsa
Github.Com Argoproj Argo-Cd V3 vulnerabilities | cvebase