CVE-2026-6388

A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates ...

Insufficient Granularity of Access Control

Overview Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in namespace validation for the ImageUpdater resources. An attacker can perform unauthorized image updates on applications in other namespaces by creating or modifying ImageUpdater resources,...

Insufficient Granularity of Access Control

Overview Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in namespace validation for the ImageUpdater resources. An attacker can perform unauthorized image updates on applications in other namespaces by creating or modifying ImageUpdater resources,...

CVE-2023-50726

A flaw was found in the Argo CD package. An improper validation bug allows users to sync local manifests on app creation, who have create privileges but not override privileges. All other restrictions, including AppProject restrictions, are still enforced. The only restriction that is not enforce...

CVE-2023-22736 argo-cd Controller reconciles apps outside configured namespaces when sharding is enabled

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the configured allowed...