VDB
ANCHORE-2026-42880
ANCHORE-2026-42880
PUBLISHED
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| argoproj | argo-cd | 3.2.0, 3.3.0 |
Timeline
- May 7, 2026 CVE Published