CVE-2020-8827
Description
As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Argo API v1.5.0 and later lacked rate limiting, account lockouts, or other anti-brute-force measures, allowing unlimited authentication attempts.
Vulnerability
Description As of v1.5.0, the Argo API did not implement anti-automation measures such as rate limiting, account lockouts, or other anti-brute-force protections [1]. Attackers could submit an unlimited number of authentication attempts without any throttling or account lockout, making brute-force password guessing feasible [1].
Exploitation
An attacker with network access to the Argo API endpoint can repeatedly attempt to authenticate using different credentials. The lack of rate limiting or account lockout allows the attacker to try many passwords in a short period, potentially guessing valid credentials for any user account [1]. The API did not differentiate between existing and non-existing accounts, but a separate commit (35a7350) later ensured that requests for non-existent usernames also return 401 errors, preventing username enumeration [4].
Impact
Successful brute-force attacks could compromise user accounts, leading to unauthorized access to Argo CD resources. Depending on the privileges of the compromised account, an attacker could deploy malicious workflows, access secrets, or modify configurations.
Mitigation
The vulnerability was addressed by introducing rate limiting for failed login attempts in pull request #3404, which was merged into the Argo CD codebase [3]. The fix uses a Redis cache to track failed attempts per account and enforces a configurable delay after repeated failures [3]. Users should upgrade to a version of Argo CD that includes this fix or apply the relevant patches.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/argoproj/argo-cdGo | < 1.5.1 | 1.5.1 |
Affected products
3- Argo/Argo APIdescription
- osv-coords2 versions
< 1.5.0+ 1 more
- (no CPE)range: < 1.5.0
- (no CPE)range: < 1.5.1
Patches
135a7350b7444fix: return 401 error code if username does not exist (#3369)
3 files changed · +35 −6
server/session/session.go+1 −1 modified@@ -27,7 +27,7 @@ func NewServer(mgr *sessionmgr.SessionManager, authenticator Authenticator) *Ser // Create generates a JWT token signed by Argo CD intended for web/CLI logins of the admin user // using username/password -func (s *Server) Create(ctx context.Context, q *session.SessionCreateRequest) (*session.SessionResponse, error) { +func (s *Server) Create(_ context.Context, q *session.SessionCreateRequest) (*session.SessionResponse, error) { if q.Token != "" { return nil, status.Errorf(codes.Unauthenticated, "token-based session creation no longer supported. please upgrade argocd cli to v0.7+") }
test/e2e/accounts_test.go+31 −5 modified@@ -4,15 +4,15 @@ import ( "context" "testing" - "github.com/argoproj/argo-cd/pkg/apiclient/session" - "github.com/argoproj/argo-cd/util" - - argocdclient "github.com/argoproj/argo-cd/pkg/apiclient" - "github.com/stretchr/testify/assert" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" "github.com/argoproj/argo-cd/errors" + argocdclient "github.com/argoproj/argo-cd/pkg/apiclient" + "github.com/argoproj/argo-cd/pkg/apiclient/session" . "github.com/argoproj/argo-cd/test/e2e/fixture" + "github.com/argoproj/argo-cd/util" ) func TestCreateAndUseAccount(t *testing.T) { @@ -50,3 +50,29 @@ test true login, apiKey`, output) assert.Equal(t, info.Username, "test") } + +func TestLoginBadCredentials(t *testing.T) { + EnsureCleanState(t) + + closer, sessionClient := ArgoCDClientset.NewSessionClientOrDie() + defer util.Close(closer) + + requests := []session.SessionCreateRequest{{ + Username: "user-does-not-exist", Password: "some-password", + }, { + Username: "admin", Password: "bad-password", + }} + + for _, r := range requests { + _, err := sessionClient.Create(context.Background(), &r) + if !assert.Error(t, err) { + return + } + errStatus, ok := status.FromError(err) + if !assert.True(t, ok) { + return + } + assert.Equal(t, codes.Unauthenticated, errStatus.Code()) + assert.Equal(t, "Invalid username or password", errStatus.Message()) + } +}
util/session/sessionmanager.go+3 −0 modified@@ -156,6 +156,9 @@ func (mgr *SessionManager) Parse(tokenString string) (jwt.Claims, error) { func (mgr *SessionManager) VerifyUsernamePassword(username string, password string) error { account, err := mgr.settingsMgr.GetAccount(username) if err != nil { + if errStatus, ok := status.FromError(err); ok && errStatus.Code() == codes.NotFound { + err = status.Errorf(codes.Unauthenticated, invalidLoginError) + } return err } if !account.Enabled {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-xcqr-9h24-vrgwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-8827ghsaADVISORY
- argoproj.github.io/argo-cd/operator-manual/user-management/ghsax_refsource_MISCWEB
- argoproj.github.io/argo-cd/security_considerationsghsaWEB
- argoproj.github.io/argo-cd/security_considerations/mitrex_refsource_MISC
- github.com/argoproj/argo-cd/commit/35a7350b7444bcaf53ee0bb11b9d8e3ae4b717a1ghsaWEB
- github.com/argoproj/argo-cd/pull/3369ghsaWEB
- github.com/argoproj/argo-cd/pull/3404ghsaWEB
- www.soluble.ai/blog/argo-cves-2020ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.