Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical WordPress Plugin Bug Lets Attackers Control Websites
July 13, 2026
Armored Likho APT deploys BusySnake stealer with AI-generated loaders
July 13, 2026
VEXAIoT Multi-Agent System Automates IoT Reconnaissance and Exploit Execution
July 13, 2026
Home/CyberSecurity News/Critical Argo CD CVE-2024-31725 Lets Attackers Extract Kubernetes Secrets
CyberSecurity News

Critical Argo CD CVE-2024-31725 Lets Attackers Extract Kubernetes Secrets

Key Takeaways A critical vulnerability, CVE-2026-43824, has been discovered in Argo CD, a popular GitOps continuous delivery tool for Kubernetes. The flaw allows low-privileged users to extract...

Marcus Rodriguez
Marcus Rodriguez
May 6, 2026 3 Min Read
48 0

Key Takeaways

  • A critical vulnerability, CVE-2026-43824, has been discovered in Argo CD, a popular GitOps continuous delivery tool for Kubernetes.
  • The flaw allows low-privileged users to extract sensitive Kubernetes Secrets in plaintext due to a missing data-masking function.
  • The vulnerability impacts Argo CD versions 3.2.0 through 3.3.8 and carries a severe CVSS score of 9.6.
  • Patched versions 3.3.9 and 3.2.11 are available, and immediate upgrades are strongly recommended.

A significant security flaw has been identified within Argo CD, the widely adopted declarative GitOps continuous delivery tool crucial for Kubernetes environments. This critical vulnerability, designated as CVE-2026-43824, enables attackers with minimal privileges to directly exfiltrate plaintext Kubernetes Secrets from a cluster.

Table Of Content

  • Key Takeaways
  • Argo CD’s ServerSideDiff Vulnerability
  • The Authorization Gap
  • Exploitation Mechanism
  • Affected Versions and Patches
  • What You Should Do

Security analysis from Devoriales indicates a severe CVSS score of 9.6 for this flaw. It effectively bypasses existing data-masking protocols, presenting considerable risks within the control plane’s security architecture.

Argo CD’s ServerSideDiff Vulnerability

The Authorization Gap

The root cause of this vulnerability lies in an authorization and data-masking oversight within Argo CD’s ServerSideDiff endpoint. Typically, Argo CD safeguards sensitive cluster information by applying a specific masking function, hideSecretData, across all endpoints that provide Kubernetes resource states.

However, this essential masking capability was never integrated into the ServerSideDiff handler. Consequently, the affected REST and gRPC endpoints generate their responses using raw, unmasked resource states. The situation is further compounded when an application is configured with the IncludeMutationWebhook=true annotation, which completely circumvents Argo CD’s secondary defense layer. This configuration forces the system to bypass the removeWebhookMutation function, which is designed to strip non-managed fields from the Server-Side Apply dry-run response.

Security researchers Alexmt and Hoang-Prod are credited with discovering and reporting the issue on GitHub. They highlighted that exploiting this vulnerability requires only basic read-only access.

Exploitation Mechanism

The outcome of this flaw is that the raw Kubernetes API response, containing actual secret values read directly from etcd, is transmitted to the user without any masking. Exploiting this vulnerability is remarkably straightforward for an attacker who has already compromised a low-level account, as every authenticated Argo CD user typically has access through the default catch-all policy.

As detailed by Juliet Security, when an attacker triggers the ServerSideDiff function on a specific managed resource, the handler executes a server-side apply dry-run against the Kubernetes API. For the secret extraction to be successful, the data fields of the targeted secret must be owned by at least one non-Argo CD field manager, such as the kube-controller-manager or an external secrets operator. When this condition is met, the external manager maintains ownership during the garbage-collection dry run, allowing the plaintext values to persist in the system’s response.

This critical oversight facilitates the unauthorized extraction of highly sensitive operational data, including service account tokens, database credentials, TLS certificates, and third-party API keys.

Affected Versions and Patches

The vulnerability specifically impacts Argo CD versions 3.2.0 through 3.3.8. To mitigate the threat of unauthorized secret extraction, system administrators are strongly advised to upgrade their deployments immediately to the official patched releases: versions 3.3.9 or 3.2.11. These updated versions correctly implement the previously missing data-masking function within the ServerSideDiff handler, thereby restoring the integrity of the GitOps pipeline.

What You Should Do

  • Upgrade Immediately: Update all Argo CD deployments to versions 3.3.9 or 3.2.11 to apply the critical patch.
  • Remove Annotation (if unable to patch): For organizations unable to patch immediately, remove the IncludeMutationWebhook=true annotation from all applications as a temporary mitigation.
  • Strengthen RBAC: Review and tighten Role-Based Access Control (RBAC) policies to strictly limit application read access within Argo CD.
  • Monitor Logs: Actively monitor Argo CD API logs for any anomalous or unauthorized ServerSideDiff queries, which could indicate attempted exploitation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVECybersecurityExploitPatchSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Russian Ransomware Group Member Sentenced to 102 Months in Prison

Next Post

Radio Signal Spoofing Halts Taiwan High Speed Rail Trains

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical jscrambler Supply Chain Attack Targets Developers
July 13, 2026
Misconfigured Python HTTP Server CVE-2024-XXXX Exposes Three Active Attack Campaigns
July 13, 2026
RokRAT Malware Targets Researchers With Fake Academic Event Materials
July 13, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us