CVE-2026-42880 PUBLISHED

ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction

Assigner: GitHub_M
Reserved: 30.04.2026 Published: 07.05.2026 Updated: 07.05.2026

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CVSS Score: 9.6

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	argoproj
Product	argo-cd
Versions	Version >= 3.2.0, < 3.2.11 is affected Version >= 3.3.0, < 3.3.9 is affected

References

https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3

Problem Types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE
CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer CWE