Bug 2467882 (CVE-2026-42880) - CVE-2026-42880 argoproj/argo-cd: Argo CD: Information disclosure of Kubernetes Secret data via Server-Side Apply dry-run mechanism
Summary: CVE-2026-42880 argoproj/argo-cd: Argo CD: Information disclosure of Kubernete...
Keywords:
Status: NEW
Alias: CVE-2026-42880
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-07 23:01 UTC by OSIDB Bzimport
Modified: 2026-05-11 06:02 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-07 23:01:21 UTC
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.


Note You need to log in before you can comment on or make changes to this bug.