CVE-2026-42880 CRITICAL

CVE-2026-42880: ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction

Vendor Argoproj

Product argo-cd

Weakness CWE-200 · Info exposure

Published May 7, 2026

Last update June 30, 2026

View on NVD All CVEs

CVSS base score

9.6/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.

Key dates

02Disclosure timeline

May 7, 2026 CVE published

June 30, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-42880 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

Identifiers

CVE CVE-2026-42880

CWE CWE-200

CVSS 9.6 / CRITICAL

Affected versions

Vendor Argoproj

Product argo-cd

Affected >= 3.2.0, < 3.2.11

Vendor Argoproj

Product argo-cd

Affected >= 3.3.0, < 3.3.9

CVE-2026-42880: ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction

01Description

02Disclosure timeline

03References

04Related CVE