← Back

CVE-2026-42880 critical CVSS 9.6

Information Disclosure in argo-cd (CVE-2026-42880)

Summary

vulnerability in argo-cd (CVE-2026-42880). Confidential information can be exposed externally.

AI summary openai / gpt-4o

Argo CD has a security issue where certain versions lack the capability to safely mask Kubernetes Secret data, allowing attackers to retrieve sensitive information. This poses a risk similar to past incidents where IDs and passwords were leaked. It is crucial to update to the latest patched versions promptly.

Argo CD's ServerSideDiff endpoint (/application.ApplicationService/ServerSideDiff) lacks authorization and data masking, allowing attackers with read-only access to obtain plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This affects versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9. The issue is fixed in versions 3.2.11 and 3.3.9. A workaround involves not setting the annotation argocd.argoproj.io/compare-options: IncludeMutationWebhook=true in Applications.

❓ What is the problem

Argo CD's ServerSideDiff endpoint lacks authorization and data masking, allowing extraction of Kubernetes Secret data.

📍 Affected scope

/application.ApplicationService/ServerSideDiff in Argo CD versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9.

🔥 Severity

Critical severity enabling attackers to extract plaintext secrets via read-only access.

🔧 How to fix

Upgrade to Argo CD version 3.2.11 or 3.3.9 to fix the issue.

🛡️ Workaround

Do not set argocd.argoproj.io/compare-options: IncludeMutationWebhook=true annotation.

🔍 Detection

Monitor API calls to the ServerSideDiff endpoint and check for unnecessary access requests.

Related past incidents Similar incidents extracted from past CVEs

CVE-2021-3415

Similar GitOps GitHub Actions vulnerability allowing sensitive data exposure.

CVE-2022-21716

Another Kubernetes Secret exposure vulnerability via misconfigured permissions.

If this happens at your company Expected impact per business scenario

📌 Kubernetes-based deployment environments.

Potential leakage of Kubernetes Secret data leads to unauthorized access.

📌 DevOps pipelines using Argo CD for CI/CD.

Confidential data leakage could compromise the deployment pipeline security.

📌 Companies utilizing Kubernetes for sensitive workloads.

Risk of exposing sensitive configuration or credentials stored in Secrets.

Recommended action

Companies should immediately patch Argo CD to the latest safe versions and audit system accesses to the affected endpoints.

Response Actions (7 steps)

Concrete steps and command examples for SOC/SRE teams to execute in order

1
Identify exposure identify
```
Audit SBOM/dependencies for affected components.
```
依存マニフェストで影響コンポーネントを特定する。
7
Post-deployment verification verify
```
Confirm patched version is live in production
```
パッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。

References

web 134c704f-9b21-4f2e-91b3-4a467353bcc0

Metadata

CVE: CVE-2026-42880
Published: 2026-05-07
First seen on SecPulse: 1 day ago
First-seen source: NIST National Vulnerability Database

Tags (click for explanation)

CWE

Cwe 200

All

Cwe 212 Argo Cd Gitops Continuous Delivery Security Operations Server Side Apply Authorization Data Masking Rest Api Etcd Vulnerability Management

Attack Types

Privilege Escalation Remote Code Execution

Container Tech

Kubernetes

Protocols

gRPC

CWE

CWE-200 CWE-212

Detection sources

NIST National Vulnerability Database 1 day ago