Critical Argo CD CVE-2024-31725 Lets Attackers Extract Kubernetes Secrets
Key Takeaways A critical vulnerability, CVE-2026-43824, has been discovered in Argo CD, a popular GitOps continuous delivery tool for Kubernetes. The flaw allows low-privileged users to extract...
Key Takeaways
- A critical vulnerability, CVE-2026-43824, has been discovered in Argo CD, a popular GitOps continuous delivery tool for Kubernetes.
- The flaw allows low-privileged users to extract sensitive Kubernetes Secrets in plaintext due to a missing data-masking function.
- The vulnerability impacts Argo CD versions 3.2.0 through 3.3.8 and carries a severe CVSS score of 9.6.
- Patched versions 3.3.9 and 3.2.11 are available, and immediate upgrades are strongly recommended.
A significant security flaw has been identified within Argo CD, the widely adopted declarative GitOps continuous delivery tool crucial for Kubernetes environments. This critical vulnerability, designated as CVE-2026-43824, enables attackers with minimal privileges to directly exfiltrate plaintext Kubernetes Secrets from a cluster.
Table Of Content
Security analysis from Devoriales indicates a severe CVSS score of 9.6 for this flaw. It effectively bypasses existing data-masking protocols, presenting considerable risks within the control plane’s security architecture.
Argo CD’s ServerSideDiff Vulnerability
The Authorization Gap
The root cause of this vulnerability lies in an authorization and data-masking oversight within Argo CD’s ServerSideDiff endpoint. Typically, Argo CD safeguards sensitive cluster information by applying a specific masking function, hideSecretData, across all endpoints that provide Kubernetes resource states.
However, this essential masking capability was never integrated into the ServerSideDiff handler. Consequently, the affected REST and gRPC endpoints generate their responses using raw, unmasked resource states. The situation is further compounded when an application is configured with the IncludeMutationWebhook=true annotation, which completely circumvents Argo CD’s secondary defense layer. This configuration forces the system to bypass the removeWebhookMutation function, which is designed to strip non-managed fields from the Server-Side Apply dry-run response.
Security researchers Alexmt and Hoang-Prod are credited with discovering and reporting the issue on GitHub. They highlighted that exploiting this vulnerability requires only basic read-only access.
Exploitation Mechanism
The outcome of this flaw is that the raw Kubernetes API response, containing actual secret values read directly from etcd, is transmitted to the user without any masking. Exploiting this vulnerability is remarkably straightforward for an attacker who has already compromised a low-level account, as every authenticated Argo CD user typically has access through the default catch-all policy.
As detailed by Juliet Security, when an attacker triggers the ServerSideDiff function on a specific managed resource, the handler executes a server-side apply dry-run against the Kubernetes API. For the secret extraction to be successful, the data fields of the targeted secret must be owned by at least one non-Argo CD field manager, such as the kube-controller-manager or an external secrets operator. When this condition is met, the external manager maintains ownership during the garbage-collection dry run, allowing the plaintext values to persist in the system’s response.
This critical oversight facilitates the unauthorized extraction of highly sensitive operational data, including service account tokens, database credentials, TLS certificates, and third-party API keys.
Affected Versions and Patches
The vulnerability specifically impacts Argo CD versions 3.2.0 through 3.3.8. To mitigate the threat of unauthorized secret extraction, system administrators are strongly advised to upgrade their deployments immediately to the official patched releases: versions 3.3.9 or 3.2.11. These updated versions correctly implement the previously missing data-masking function within the ServerSideDiff handler, thereby restoring the integrity of the GitOps pipeline.
What You Should Do
- Upgrade Immediately: Update all Argo CD deployments to versions 3.3.9 or 3.2.11 to apply the critical patch.
- Remove Annotation (if unable to patch): For organizations unable to patch immediately, remove the
IncludeMutationWebhook=trueannotation from all applications as a temporary mitigation. - Strengthen RBAC: Review and tighten Role-Based Access Control (RBAC) policies to strictly limit application read access within Argo CD.
- Monitor Logs: Actively monitor Argo CD API logs for any anomalous or unauthorized ServerSideDiff queries, which could indicate attempted exploitation.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.