CVE-2026-42880 | THREATINT

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.

PUBLISHED Reserved 2026-04-30 | Published 2026-05-07 | Updated 2026-05-08 | Assigner GitHub_M

CRITICAL: 9.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer

Product status

>= 3.2.0, < 3.2.11

affected

>= 3.3.0, < 3.3.9

affected

References

github.com/...rgo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3 exploit

github.com/...rgo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3

cve.org (CVE-2026-42880)

nvd.nist.gov (CVE-2026-42880)

Download JSON