Go modules package
github.com/argoproj/argo-cd/v3
pkg:golang/github.com/argoproj/argo-cd/v3
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42880 | Cri | 9.6 | >= 3.2.0, < 3.2.11 | 3.2.11 | May 7, 2026 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to ex | |
| CVE-2025-59538 | — | >= 3.2.0-rc1, < 3.2.0-rc2 | 3.2.0-rc2 | Oct 1, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /a | ||
| CVE-2025-59537 | — | >= 3.2.0-rc1, < 3.2.0-rc2 | 3.2.0-rc2 | Oct 1, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to | ||
| CVE-2025-59531 | — | >= 3.2.0-rc1, < 3.2.0-rc2 | 3.2.0-rc2 | Oct 1, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to | ||
| CVE-2025-55191 | — | >= 3.2.0-rc1, < 3.2.0-rc2 | 3.2.0-rc2 | Sep 30, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic | ||
| CVE-2025-55190 | — | < 3.0.14 | 3.0.14 | Sep 4, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials ( | ||
| CVE-2025-47933 | — | < 3.0.4 | 3.0.4 | May 29, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacke |
- affected >= 3.2.0, < 3.2.11fixed 3.2.11
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to ex
- CVE-2025-59538Oct 1, 2025affected >= 3.2.0-rc1, < 3.2.0-rc2fixed 3.2.0-rc2
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /a
- CVE-2025-59537Oct 1, 2025affected >= 3.2.0-rc1, < 3.2.0-rc2fixed 3.2.0-rc2
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to
- CVE-2025-59531Oct 1, 2025affected >= 3.2.0-rc1, < 3.2.0-rc2fixed 3.2.0-rc2
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to
- CVE-2025-55191Sep 30, 2025affected >= 3.2.0-rc1, < 3.2.0-rc2fixed 3.2.0-rc2
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic
- CVE-2025-55190Sep 4, 2025affected < 3.0.14fixed 3.0.14
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (
- CVE-2025-47933May 29, 2025affected < 3.0.4fixed 3.0.4
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacke