Argo CD secret data leak (CVE-2026-42880)

Patch now - CVE-2026-42880 is a critical data leak in Argo CD versions 3.2.0 to 3.2.10 and 3.3.0 to 3.3.8 that lets an attacker with read-only access extract plaintext Kubernetes Secret data from the cluster’s etcd datastore. Patched in versions 3.2.11 and 3.3.9 - update immediately.

Overview

CVE-2026-42880 is an authorization and data-masking bypass in the Argo CD ServerSideDiff endpoint. This endpoint leverages the Kubernetes API server’s Server-Side Apply dry-run mechanism, which returns the full applied object in its response. Because Argo CD failed to properly authorize this endpoint and did not mask sensitive fields, a read-only user can inject crafted resources that cause the Kubernetes API server to return the stored Secret data in plaintext. The attacker then only needs network access to the Argo CD instance and valid credentials with read-only privileges.

Impact

The vulnerability is scored CRITICAL with a CVSS 9.6. This CVSS score reflects that the attack is network-based, requires low privileges, no user interaction, and has a low attack complexity. The confidentiality impact is HIGH, even though availability and integrity are not affected.

An attacker who successfully exploits this flaw can dump all Kubernetes Secrets managed by Argo CD. This can include database credentials, API tokens, TLS certificates, and service account keys. Once exposed, these secrets can be used for lateral movement, privilege escalation, or data exfiltration from the entire Kubernetes cluster.

While there is no evidence of active exploitation in the wild, this vulnerability is trivial to chain with any existing read-only account. Given widespread Argo CD adoption, it is a high-priority target for threat actors.

Remediation

Upgrade Argo CD to version 3.2.11 (for the 3.2.x line) or 3.3.9 (for the 3.3.x line). These releases add proper authorization checks on the ServerSideDiff endpoint and apply data-masking for Secret-type objects, preventing the dry-run response from exposing sensitive data.

If immediate patching is not possible, restrict read-only access to only trusted users and monitor audit logs for unusual ServerSideDiff requests. However, these are temporary mitigations; the only complete fix is upgrading.

Security Insight

This vulnerability exemplifies a recurring pattern in GitOps tooling: features designed for operational convenience (like diff previews) often lack rigorous authorization boundaries for the read path. The ServerSideDiff endpoint was intended to show configuration changes, but because it relied on the Kubernetes API server’s own dry-run response, it inadvertently became a proxy for reading live secrets. This should prompt organizations to audit their GitOps tooling for similar “read-but-not-write” bypasses, particularly in diff and preview endpoints that interact with the Kubernetes API server.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs