VYPR

Vendor CVEs

Argoproj

All CVEs

68 total · sorted by risk
  • CVE-2026-6388CriApr 15, 2026
    risk 0.59cvss 9.1epss 0.00

    A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger…

  • CVE-2025-32445CriApr 15, 2025
    risk 0.57cvss 9.9epss 0.01

    Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. The…

  • CVE-2026-42880CriMay 7, 2026
    risk 0.55cvss 9.6epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to…

  • CVE-2026-42297HigMay 9, 2026
    risk 0.47cvss 8.3epss 0.01

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD…

  • CVE-2026-42296HigMay 9, 2026
    risk 0.46cvss 8.1epss 0.00

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts,…

  • CVE-2024-13484HigJan 28, 2025
    risk 0.46cvss 8.2epss 0.00

    A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform…

  • CVE-2024-52799HigNov 21, 2024
    risk 0.46cvss 8.2epss 0.00

    Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the same namespace, i.e. arbitrary code…

  • CVE-2026-43824HigMay 2, 2026
    risk 0.43cvss 7.7epss 0.00

    In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data.

  • CVE-2026-40886HigApr 23, 2026
    risk 0.43cvss 7.7epss 0.00

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed…

  • CVE-2026-42294HigMay 9, 2026
    risk 0.42cvss 7.5epss 0.01

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature.…

  • CVE-2026-45738higMay 19, 2026
    risk 0.38cvss epss 0.00

    ### Summary A user with **application write access (developer role)** can set `link.argocd.argoproj.io/*` annotations on any ArgoCD Application. These annotation values are rendered in the Summary tab's **URLs section** as `` elements without URL validation. Using the…

  • CVE-2026-42183MedMay 9, 2026
    risk 0.35cvss 6.5epss 0.00

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, a nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization() causes a panic (denial of service) for SSO…

  • CVE-2026-42295MedMay 9, 2026
    risk 0.25cvss 4.9epss 0.00

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials (S3 access keys, secret keys, GCS service account keys,…

  • CVE-2024-52814LowNov 22, 2024
    risk 0.11cvss 2.8epss 0.00

    Argo Helm is a collection of community maintained charts for `argoproj.github.io` projects. Prior to version 0.45.0, the `workflow-role`) lacks granularity in its privileges, giving permissions to `workflowtasksets` and `workflowartifactgctasks` to all workflow Pods, when only…

  • CVE-2026-45737May 19, 2026
    risk 0.00cvss epss 0.00

    ### Summary The original fix for [GHSA-3v3m-wc6v-x4x3](https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3) is incomplete. argocd app diff --server-side-diff can still expose Kubernetes Secret values embedded in the kubectl.kubernetes.io/last-applied-confi…

  • CVE-2026-31892Mar 11, 2026
    risk 0.00cvss epss 0.00

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 2.9.0 to before 4.0.2 and 3.7.11, A user who can submit Workflows can completely bypass all security settings defined in a WorkflowTemplate by including a…

  • CVE-2026-28229Mar 11, 2026
    risk 0.00cvss epss 0.01

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a…

  • CVE-2026-23960Jan 21, 2026
    risk 0.00cvss epss 0.00

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s…

  • CVE-2025-66626Dec 9, 2025
    risk 0.00cvss epss 0.01

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's…

  • CVE-2025-62157Oct 14, 2025
    risk 0.00cvss epss 0.00

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Argo Workflows versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 expose artifact repository credentials in plaintext in workflow-controller pod logs. An…

  • CVE-2025-62156Oct 14, 2025
    risk 0.00cvss epss 0.01

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 contain a Zip Slip path traversal vulnerability in artifact extraction. During artifact extraction the…

  • CVE-2025-59538Oct 1, 2025
    risk 0.00cvss epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the…

  • CVE-2025-59537Oct 1, 2025
    risk 0.00cvss epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to…

  • CVE-2025-59531Oct 1, 2025
    risk 0.00cvss epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to…

  • CVE-2025-55191Sep 30, 2025
    risk 0.00cvss epss 0.00

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to…

  • CVE-2025-55190Sep 4, 2025
    risk 0.00cvss epss 0.05

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials…

  • CVE-2025-47933May 29, 2025
    risk 0.00cvss epss 0.00

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an…

  • CVE-2025-23216Jan 30, 2025
    risk 0.00cvss epss 0.00

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes…

  • CVE-2024-53862Dec 2, 2024
    risk 0.00cvss epss 0.01

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint:…

  • CVE-2024-47827Oct 28, 2024
    risk 0.00cvss epss 0.00

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Due to a race condition in a global variable in 3.6.0-rc1, the argo workflows controller can be made to crash on-command by any user with access to execute a…

  • CVE-2024-41666Jul 24, 2024
    risk 0.00cvss epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and…

  • CVE-2024-40634Jul 22, 2024
    risk 0.00cvss epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation…

  • CVE-2024-37152Jun 6, 2024
    risk 0.00cvss epss 0.02

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This…

  • CVE-2024-36106Jun 6, 2024
    risk 0.00cvss epss 0.00

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the…

  • CVE-2024-31989May 21, 2024
    risk 0.00cvss epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI…

  • CVE-2024-32476Apr 26, 2024
    risk 0.00cvss epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service (DoS) vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched in version(s) 2.10.7, 2.9.12 and 2.8.16.

  • CVE-2024-31990Apr 15, 2024
    risk 0.00cvss epss 0.00

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and…

  • CVE-2024-29893Mar 29, 2024
    risk 0.00cvss epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server…

  • CVE-2024-21662Mar 18, 2024
    risk 0.00cvss epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in…

  • CVE-2024-21661Mar 18, 2024
    risk 0.00cvss epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all…

  • CVE-2024-21652Mar 18, 2024
    risk 0.00cvss epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the…

  • CVE-2023-50726Mar 13, 2024
    risk 0.00cvss epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted…

  • CVE-2024-28175Mar 13, 2024
    risk 0.00cvss epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated…

  • CVE-2024-22424Jan 19, 2024
    risk 0.00cvss epss 0.00

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15 are vulnerable to a cross-server request forgery (CSRF) attack when the attacker has the ability to write HTML to a page on the same…

  • CVE-2023-40026Sep 27, 2023
    risk 0.00cvss epss 0.01

    Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the…

  • CVE-2023-40584Sep 7, 2023
    risk 0.00cvss epss 0.01

    Argo CD is a declarative continuous deployment for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, the said component extracts a user-controlled tar.gz file…

  • CVE-2023-40029Sep 7, 2023
    risk 0.00cvss epss 0.01

    Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored in`kubectl.kubernetes.io/last-applied-configuration` annotation. pull request #7139…

  • CVE-2023-40025Aug 23, 2023
    risk 0.00cvss epss 0.00

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired.…

  • CVE-2023-23947Feb 16, 2023
    risk 0.00cvss epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one…

  • CVE-2023-25163Feb 8, 2023
    risk 0.00cvss epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are…

Page 1 of 2