Critical Argo CD Vulnerability Disclosed and Patched. Here's What You Need to Know
Alexander Matyushentsev
Today, we're disclosing a critical vulnerability in Argo CD 3.2 and 3.3, including discovery, impact, and remediation. This vulnerability was discovered and responsibly disclosed to us by a security researcher working for one of our customers, and there are no known reports of exploitation in the wild.
The Vulnerability
A security flaw was identified in the ApplicationService.ServerSideDiff API endpoint. There are two related issues:
1. Unauthorized resource manifest access
Any user with read access to an Argo CD application could retrieve raw manifests of any Kubernetes resource in the destination cluster — including resources completely outside that application's scope. Kubernetes Secret values were redacted, but the authorization bypass was significant.
2. Plaintext secret exposure
Applications annotated with argocd.argoproj.io/compare-options: ServerSideDiff=true were more severely affected: the endpoint returned Kubernetes Secret data in plaintext, with no redaction. Any user with read access could exfiltrate secrets directly.
Full details: GHSA-3v3m-wc6v-x4x3
Akuity Platform Customers
If you're an Akuity customer, we have you protected. For our SaaS customers who are running Akuity’s distribution of Argo CD, no action is needed. Your instances have already been patched with a pre-release fix. Otherwise, we’ve coordinated an upgrade with you ahead of this disclosure. Either way, your exposure window was minimized before this went public.
Action Required for Open Source Users
The vulnerable versions are against the last two minor releases of Argo CD. If you're running open source Argo CD, upgrade now:
Version | Fix |
|---|---|
Argo CD 3.2 | Upgrade to v3.2.11 |
Argo CD 3.3 | Upgrade to v3.3.9 |
If you can't upgrade immediately, disable ServerSideDiff=true on any applications where it's enabled, and tighten your RBAC policies so that read privileges for applications are granted only to trusted individuals.
Credit Where It's Due
This vulnerability was discovered and disclosed to us by, @hoang-prod, a security engineer at one of our customers, CoreWeave. We're grateful for their collaboration, and we look forward to a continued close partnership with the CoreWeave team.
The Bottom Line
We are the original creators of Argo CD. Akuity builds its core features, drives its roadmap, and when critical security issues surface — we fix them. Argo CD is our passion and we're committed to keeping it safe for everyone who depends on it.
Found a security issue in Argo CD? Report it via GitHub Security Advisories. For issues in Akuity's platform, contact us directly at security@akuity.io.
