CVE-2026-15416 PUBLISHED

Argo-cd: argo cd unauthenticated remote code execution in repo-server via generatemanifest grpc endpoint

Assigner: redhat
Reserved: 10.07.2026 Published: 14.07.2026 Updated: 14.07.2026

A flaw was identified in Argo CD, the GitOps engine used by Red Hat OpenShift GitOps, that could allow an unauthenticated attacker with network access to the Argo CD repo-server to achieve remote code execution. Under certain conditions, the attacker may then manipulate cached data to deploy malicious Kubernetes resources to managed clusters, potentially resulting in complete cluster compromise.

Metrics

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
CVSS Score: 8.9

Product Status

Vendor argoproj
Product argo-helm
Versions Default: unaffected
  • affected from 0 to 10.0.0 (excl.)
Vendor Red Hat
Product Red Hat Openshift Data Foundation 4
Versions Default: unaffected
Vendor Red Hat
Product Red Hat OpenShift GitOps
Versions Default: unknown
Vendor Red Hat
Product Red Hat OpenShift GitOps
Versions Default: unaffected
Vendor Red Hat
Product Red Hat OpenShift GitOps
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift GitOps
Versions Default: unaffected
Vendor Red Hat
Product Red Hat OpenShift GitOps
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift GitOps
Versions Default: unknown
Vendor Red Hat
Product Red Hat OpenShift GitOps
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift GitOps
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift GitOps
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift GitOps
Versions Default: unaffected
Vendor Red Hat
Product Red Hat OpenShift GitOps
Versions Default: unaffected

Workarounds

Limit network access to the Argo CD repo-server gRPC endpoint to trusted internal components using Kubernetes NetworkPolicy or equivalent network access controls. Do not expose the repo-server outside the cluster or to untrusted networks. Restrict access to the associated Redis service and update to a fixed version once one becomes available.

References

Problem Types

  • Missing Authentication for Critical Function CWE