1462 matches found
ArgoCD Project API Token Repository Credentials Exposure
Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials usernames, passwords through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability...
Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Argoproj Argo_Cd
CVE-2026-42880 — ArgoCD Secret Exposure via ServerSideDiff A...
CVE-2026-43824
A flaw was found in Argo CD. The ServerSideDiff feature allows for the reading of cleartext Kubernetes Secret data. This vulnerability could lead to information disclosure, potentially exposing sensitive configuration details within the Kubernetes environment. Mitigation Mitigation for this issue...
GHSA-H98R-WV3H-FR38 vulnerabilities
Vulnerabilities for packages: argo-cd, argocd-image-updater...
CVE-2026-45738 vulnerabilities
Vulnerabilities for packages: argo-cd, argocd-image-updater...
GHSA-M7CR-M3PV-HGRP vulnerabilities
Vulnerabilities for packages: nfpm, crossplane, src-fingerprint, snyk-cli, kaniko, melange, grype, grafana-alloy, gitsign, dagger, steampipe, external-secrets-operator, kargo, scorecard, argo-cd, flux-image-automation-controller, syft, act, tfsec, argocd-image-updater, xeol, kots, k9s,...
GHSA-CRHJ-59GH-8X96 vulnerabilities
Vulnerabilities for packages: nfpm, crossplane, src-fingerprint, snyk-cli, kaniko, melange, grype, grafana-alloy, gitsign, dagger, steampipe, external-secrets-operator, kargo, scorecard, argo-cd, flux-image-automation-controller, syft, act, tfsec, argocd-image-updater, xeol, kots, k9s,...
CVE-2026-45571 vulnerabilities
Vulnerabilities for packages: nfpm, crossplane, src-fingerprint, snyk-cli, kaniko, melange, grype, grafana-alloy, gitsign, dagger, steampipe, external-secrets-operator, kargo, scorecard, argo-cd, flux-image-automation-controller, syft, act, tfsec, argocd-image-updater, xeol, kots, k9s,...
CVE-2026-45570 vulnerabilities
Vulnerabilities for packages: nfpm, crossplane, src-fingerprint, snyk-cli, kaniko, melange, grype, grafana-alloy, gitsign, dagger, steampipe, external-secrets-operator, kargo, scorecard, argo-cd, flux-image-automation-controller, syft, act, tfsec, argocd-image-updater, xeol, kots, k9s,...
CVE-2026-45738 vulnerabilities
Vulnerabilities for packages: argocd-image-updater, argocd-image-updater-fips, argo-cd...
GHSA-H98R-WV3H-FR38 vulnerabilities
Vulnerabilities for packages: argocd-image-updater, argocd-image-updater-fips, argo-cd...
GHSA-CRHJ-59GH-8X96 vulnerabilities
Vulnerabilities for packages: grafana-alloy, zarf, chainloop-cli-fips, amazon-ssm-agent, cloudbeat-fips, kots, flux-image-automation-controller, kubescape-server, gitlab-rails-ce, grype-db, skaffold, gitlab-rails-ce-fips, kubevela, gitlab-runner, external-secrets-operator, gomplate,...
CVE-2026-45571 vulnerabilities
Vulnerabilities for packages: grafana-alloy, zarf, chainloop-cli-fips, amazon-ssm-agent, cloudbeat-fips, kots, flux-image-automation-controller, kubescape-server, gitlab-rails-ce, grype-db, skaffold, gitlab-rails-ce-fips, kubevela, gitlab-runner, external-secrets-operator, gomplate,...
GHSA-M7CR-M3PV-HGRP vulnerabilities
Vulnerabilities for packages: grafana-alloy, zarf, chainloop-cli-fips, amazon-ssm-agent, cloudbeat-fips, kots, flux-image-automation-controller, kubescape-server, gitlab-rails-ce, grype-db, skaffold, gitlab-rails-ce-fips, kubevela, gitlab-runner, external-secrets-operator, gomplate,...
CVE-2026-45570 vulnerabilities
Vulnerabilities for packages: grafana-alloy, zarf, chainloop-cli-fips, amazon-ssm-agent, cloudbeat-fips, kots, flux-image-automation-controller, kubescape-server, gitlab-rails-ce, grype-db, skaffold, gitlab-rails-ce-fips, kubevela, gitlab-runner, external-secrets-operator, gomplate,...
Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation
Summary A user with application write access developer role can set link.argocd.argoproj.io/ annotations on any ArgoCD Application. These annotation values are rendered in the Summary tab's URLs section as elements without URL validation. Using the pipe-separator trick Display Text |...
Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations
Summary The original fix for GHSA-3v3m-wc6v-x4x3 is incomplete. argocd app diff --server-side-diff can still expose Kubernetes Secret values embedded in the kubectl.kubernetes.io/last-applied-configuration annotation. The prior fix masks top-level Secret data in ServerSideDiff responses, but it...
GHSA-RG3G-4RW9-GQRP Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations
Summary The original fix for GHSA-3v3m-wc6v-x4x3 is incomplete. argocd app diff --server-side-diff can still expose Kubernetes Secret values embedded in the kubectl.kubernetes.io/last-applied-configuration annotation. The prior fix masks top-level Secret data in ServerSideDiff responses, but it...
CVE-2026-42295
A flaw was found in Argo Workflows, an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. The workflow executor logs all artifact repository credentials, such as S3 Simple Storage Service access keys, GCS Google Cloud Storage service account keys, Azure...
CVE-2026-42183
A flaw was found in Argo Workflows. This flaw, a nil pointer dereference in the rbacAuthorization function, affects Single Sign-On SSO users. When SSODELEGATERBACTONAMESPACE is enabled, an authenticated SSO user whose claims match a namespace-level Role-Based Access Control RBAC rule but not an...