CVE-2026-45737 in argo-cdinfo

Summary

by MITRE • 07/15/2026

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From 3.2.0 until 3.2.12, 3.3.10, and 3.4.2, Argo CD ServerSideDiff can expose Kubernetes Secret values embedded in the kubectl.kubernetes.io/last-applied-configuration annotation because HideSecretData(target, live, ...) does not fully sanitize ResourceDiff.TargetState and LiveState predicted live Secret objects, allowing sensitive data, stringData, and annotations to appear in UI or CLI diffs. This issue is fixed in versions 3.2.12, 3.3.10, and 3.4.2.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability in Argo CD affects versions between 3.2.0 and 3.2.11, as well as 3.3.0 through 3.3.9, and 3.4.0 through 3.4.1 where the ServerSideDiff functionality fails to properly sanitize Kubernetes Secret values embedded within the kubectl.kubernetes.io/last-applied-configuration annotation. This security flaw stems from inadequate input validation and sanitization within the HideSecretData function which is responsible for protecting sensitive information during diff operations between target and live states of Kubernetes resources.

The technical implementation issue occurs when Argo CD processes ResourceDiff objects containing Secret resources, specifically where the TargetState and LiveState properties are not fully sanitized before being displayed in the user interface or command line interface. The HideSecretData function does not adequately strip sensitive data from the kubectl.kubernetes.io/last-applied-configuration annotation which contains embedded secret values that should remain protected. This creates a situation where confidential information including secret data, string data, and annotations can be exposed through diff operations in the Argo CD UI or CLI.

The operational impact of this vulnerability is significant as it allows unauthorized users with access to Argo CD to potentially extract sensitive information from Kubernetes Secrets through normal diff operations. The exposure occurs during routine GitOps operations where administrators might view differences between desired and actual states of their Kubernetes resources. Attackers could leverage this weakness to discover credentials, API keys, certificates, or other confidential data that should remain protected within the kubernetes.io/last-applied-configuration annotation fields.

This vulnerability maps to CWE-200 Information Exposure and aligns with ATT&CK technique T1528 Steal Application Access Token, though it operates through a different vector than typical credential theft methods. The exposure occurs during system operation rather than through direct exploitation, making it particularly concerning for environments where Argo CD is used for continuous delivery operations in production systems.

Organizations should immediately upgrade to versions 3.2.12, 3.3.10, or 3.4.2 which contain the necessary fixes for this vulnerability. The mitigation strategy involves not only applying the patched versions but also reviewing existing diff operations and ensuring that no sensitive information has been previously exposed through the affected functionality. Security teams should monitor their Argo CD installations and implement additional access controls to limit exposure while patches are being deployed. The fix implements proper sanitization of ResourceDiff.TargetState and LiveState objects, specifically addressing the incomplete sanitization of Kubernetes Secret values within the kubectl.kubernetes.io/last-applied-configuration annotation as recommended by security best practices for GitOps tooling.

Responsible

GitHub M

Reservation

05/13/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!