Vulnerability Details CVE-2026-42880
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 2.4%
CVSS Severity
CVSS v3 Score 9.6
References
Products affected by CVE-2026-42880
-
cpe:2.3:a:argoproj:argo_cd:3.2.0
-
cpe:2.3:a:argoproj:argo_cd:3.2.1
-
cpe:2.3:a:argoproj:argo_cd:3.2.10
-
cpe:2.3:a:argoproj:argo_cd:3.2.2
-
cpe:2.3:a:argoproj:argo_cd:3.2.3
-
cpe:2.3:a:argoproj:argo_cd:3.2.4
-
cpe:2.3:a:argoproj:argo_cd:3.2.5
-
cpe:2.3:a:argoproj:argo_cd:3.2.6
-
cpe:2.3:a:argoproj:argo_cd:3.2.7
-
cpe:2.3:a:argoproj:argo_cd:3.2.8
-
cpe:2.3:a:argoproj:argo_cd:3.2.9
-
cpe:2.3:a:argoproj:argo_cd:3.3.0
-
cpe:2.3:a:argoproj:argo_cd:3.3.1
-
cpe:2.3:a:argoproj:argo_cd:3.3.2
-
cpe:2.3:a:argoproj:argo_cd:3.3.3
-
cpe:2.3:a:argoproj:argo_cd:3.3.4
-
cpe:2.3:a:argoproj:argo_cd:3.3.5
-
cpe:2.3:a:argoproj:argo_cd:3.3.6
-
cpe:2.3:a:argoproj:argo_cd:3.3.7
-
cpe:2.3:a:argoproj:argo_cd:3.3.8