VDB

ANCHORE-2026-42880

ANCHORE-2026-42880 PUBLISHED

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.

Affected Products

VendorProductVersions
argoprojargo-cd3.2.0, 3.3.0

Timeline

  • May 7, 2026 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›