Critical severity9.6GHSA Advisory· Published May 7, 2026· Updated May 11, 2026
CVE-2026-42880
CVE-2026-42880
Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/argoproj/argo-cd/v3Go | >= 3.2.0, < 3.2.11 | 3.2.11 |
github.com/argoproj/argo-cd/v3Go | >= 3.3.0, < 3.3.9 | 3.3.9 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-3v3m-wc6v-x4x3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-42880ghsaADVISORY
News mentions
0No linked articles in our index yet.