Argo CD ServerSideDiff Flaw Allows Kubernetes Secret Theft

A critical cybersecurity vulnerability has been uncovered in Argo CD, the declarative GitOps continuous delivery tool widely adopted across Kubernetes environments.

Tracked as CVE-2026-43824, this high-severity flaw allows low-privileged users to extract plaintext Kubernetes Secrets directly from a cluster.

According to security analysis from Devoriales, the vulnerability carries a severe CVSS score of 9.6, as it bypasses built-in data-masking mechanisms and exposes significant risks within control-plane boundaries.

Argo CD’s ServerSideDiff Vulnerability

The core of the vulnerability resides in a missing authorization and data-masking gap within the Argo CD ServerSideDiff endpoint.

In a standard configuration, Argo CD effectively protects sensitive cluster data by invoking the specific masking function hideSecretData across all endpoints that return Kubernetes resource states.

However, this crucial masking function was never implemented in the ServerSideDiff handler.

Consequently, the vulnerable REST and gRPC endpoints construct their responses using raw, unmasked resource states.

When an application is configured with the IncludeMutationWebhook=true annotation, Argo CD’s secondary defense layer is completely bypassed.

This forces the system to skip the removeWebhookMutation function, which normally strips non-managed fields from the Server-Side Apply dry-run response.

Security researchers Alexmt and Hoang-Prod discovered and reported the issue on GitHub, warning that attackers only need basic read-only access to exploit it.

As a result, the raw Kubernetes API response containing real secret values read directly from etcd is returned to the user with no masking applied.

Exploiting this flaw is alarmingly straightforward for an attacker who has already compromised a low-level account.

Every authenticated Argo CD user has access via the default catch-all policy.

As noted by Juliet Security, when an attacker triggers the ServerSideDiff function on a targeted managed resource, the handler performs a server-side apply dry-run against the Kubernetes API.

For the extraction to succeed, the data fields of the targeted secret must be owned by at least one non-Argo CD field manager, such as the kube-controller-manager or an external secrets operator.

When this condition is met, the external manager retains ownership during the garbage-collection dry run, allowing the plaintext values to survive in the system’s response.

This enables the unauthorized extraction of highly sensitive operational data, including service account tokens, database passwords, TLS certificates, and third-party API keys.

The vulnerability specifically affects Argo CD versions 3.2.0 through 3.3.8.

To neutralize the threat of unauthorized secret extraction, system administrators are strongly urged to immediately upgrade their deployments to the official patched releases, specifically versions 3.3.9 or 3.2.11.

These updated versions properly implement the missing data-masking function within the ServerSideDiff handler, reestablishing the security of the GitOps pipeline.

For organizations unable to patch their systems immediately, temporary mitigations include removing the IncludeMutationWebhook=true annotation from all applications.

Furthermore, security teams should actively tighten their Role-Based Access Control policies to strictly limit application read access and actively monitor Argo CD API logs for any anomalous or unauthorized ServerSideDiff queries.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.