CVE-2026-42880

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42880.json",
    "cwe_ids": [
        "CWE-200",
        "CWE-212"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/argoproj/argo-cd

Affected ranges

Type

GIT

Repo

https://github.com/argoproj/argo-cd

Events

Introduced

66b2f302d91a42cc151808da0eec0846bbe1062c

Fixed

6d66c1b29e4f25dccfb5b0c7a939785b0071ef9a

Introduced

fd6b7d5b3cba5e7aa7ad400b0fb905a81018a77b

Fixed

1b1bb48f981385cf40b282e965cf63419be3d93f

Database specific

{
    "cpe": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "3.2.0"
        },
        {
            "fixed": "3.2.11"
        },
        {
            "introduced": "3.3.0"
        },
        {
            "fixed": "3.3.9"
        }
    ]
}

Affected versions

v3.*

v3.2.0

v3.2.1

v3.2.10

v3.2.2

v3.2.3

v3.2.4

v3.2.5

v3.2.6

v3.2.7

v3.2.8

v3.2.9

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.3.8

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42880.json"