VYPR
Moderate severityGHSA Advisory· Published May 19, 2026· Updated May 19, 2026

Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations

CVE-2026-45737

Description

Summary

The original fix for GHSA-3v3m-wc6v-x4x3 is incomplete. argocd app diff --server-side-diff can still expose Kubernetes Secret values embedded in the kubectl.kubernetes.io/last-applied-configuration annotation.

The prior fix masks top-level Secret data in ServerSideDiff responses, but it does not fully sanitize Secret data stored inside the last-applied-configuration annotation. If a Secret was previously created or updated using client-side apply, that annotation may contain raw data, stringData, and sensitive annotations. These values can be shown in UI/CLI diffs.

Details

The ServerSideDiff endpoint returns ResourceDiff.TargetState / LiveState based on server-side dry-run output. Kubernetes server-side dry-run can return a full predicted live Secret object that carries forward existing live annotations, including:

kubectl.kubernetes.io/last-applied-configuration For Secrets created with client-side apply, that annotation can contain a JSON-serialized Secret manifest with sensitive values.

The masking path calls HideSecretData(target, live, ...). However, HideSecretData only rewrites the last-applied annotation on the second argument (live). In server-side diff, the first argument can be predictedLive, not a clean Git target. predictedLive can also contain kubectl.kubernetes.io/last-applied-configuration, so the first object’s embedded annotation can remain unmasked.

PoC

Create an app containing this Secret manifest: ``yaml apiVersion: v1 kind: Namespace metadata: name: last-applied-secret-repro --- apiVersion: v1 kind: Secret metadata: name: secret namespace: last-applied-secret-repro annotations: app: test token: SECRETVAL type: Opaque data: password: U0VDUkVUVkFM username: U0VDUkVUVkFM ``

Create and Sync Argo App ``yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: last-applied-secret-repro namespace: argocd annotations: argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true spec: project: default destination: server: https://kubernetes.default.svc namespace: last-applied-secret-repro source: repoURL: https://github.com/YOUR_ORG/YOUR_REPO.git targetRevision: HEAD path: last-applied-secret-repro syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true - ServerSideApply=true ``

Run argo cd app diff argocd app diff last-applied-secret-repro --server-side-diff --exit-code=false `` ❯ argocd app diff last-applied-secret-repro --server-side-diff --exit-code=false ===== /Secret last-applied-secret-repro/secret ====== 10c10,11 < kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"v1","data":{"password":"++++++++","username":"++++++++"},"kind":"Secret","metadata":{"annotations":{"app":"test","argocd.argoproj.io/tracking-id":"last-applied-secret-repro:/Secret:last-applied-secret-repro/secret","token":"SECRETVAL"},"name":"secret","namespace":"last-applied-secret-repro"},"type":"Opaque"}' --- > kubectl.kubernetes.io/last-applied-configuration: | > {"apiVersion":"v1","data":{"password":"U0VDUkVUVkFM","username":"U0VDUkVUVkFM"},"kind":"Secret","metadata":{"annotations":{"app":"test","argocd.argoproj.io/tracking-id":"last-applied-secret-repro:/Secret:last-applied-secret-repro/secret","token":"SECRETVAL"},"name":"secret","namespace":"last-applied-secret-repro"},"type":"Opaque"} ``

The secret value can be seen inside the diff

Impact

Authenticated Argo CD users who can view application diffs may be able to read Secret values that should be masked.

Impacted values include: Secret data embedded in kubectl.kubernetes.io/last-applied-configuration

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/argoproj/argo-cd/v3Go
>= 3.2.0, < 3.2.123.2.12
github.com/argoproj/argo-cd/v3Go
>= 3.3.0-rc1, < 3.3.103.3.10
github.com/argoproj/argo-cd/v3Go
>= 3.4.0-rc1, < 3.4.23.4.2

Affected products

4

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.