1. Home
  2. CVE Database
  3. CVE-2026-42880
CRITICAL · 9.6

CVE-2026-42880

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo ...

Vulnerability Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.

CVSS Score

9.6

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE

Affected Products

VendorProductVersions
ArgoprojArgo Cd>= 3.2.0, < 3.2.11

Related Weaknesses (CWE)

CWE-200CWE-212

References

FAQ

What is CVE-2026-42880?

CVE-2026-42880 is a vulnerability with a CVSS score of 9.6 (CRITICAL). Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo ...

How severe is CVE-2026-42880?

CVE-2026-42880 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-42880?

Check the references section above for vendor advisories and patch information. Affected products include: Argoproj Argo Cd.