CVE Daily
← All tags

Tag: Argo CD

All CVEs associated with "Argo CD". Page 1/1 • 57 CVEs.

About “Argo CD”

A curated feed of “Argo CD”-related CVEs appears below. We currently track 57 CVEs for this tag (all time). In the last 365 days, 10 were published. Average CVSS is 7.2 (all time; 8.2 over 365d), and 56% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor, CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer, CWE-1220 - Insufficient Granularity of Access Control.

In our taxonomy this topic maps to a MODERATE impact class. Container and Kubernetes fixes usually require image rebuilds and control plane or node upgrades. Prioritize exposed surfaces, restart workloads on patched bases, and tighten RBAC and NetworkPolicies. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: argo-cd

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestEOLLTS
3.43.4.3-
3.33.3.11-
3.23.2.12-
3.13.1.16 Expired
3.03.0.23 Expired
2.142.14.21 Expired
2.132.13.9 Expired
2.122.12.13 Expired
2.112.11.14 Expired
2.102.10.20 Expired
2.92.9.22 Expired
2.82.8.21 Expired
2.72.7.18 Expired
2.62.6.15 Expired
2.52.5.22 Expired
2.42.4.28 Expired
2.32.3.17 Expired
2.22.2.16 Expired
2.12.1.16 Expired
2.02.0.5 Expired
1.81.8.7 Expired
1.71.7.14 Expired
1.61.6.2 Expired
1.51.5.8 Expired
1.41.4.3 Expired
1.31.3.6 Expired
1.21.2.5 Expired
1.11.1.2 Expired
1.01.0.2 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Argo CD”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-05-07
Critical

CVE-2026-42880

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo…

CVSS: 9.6 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2026-05-02
High

CVE-2026-43824

In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data.

CVSS: 7.7 CWE: CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer View on NVD
2026-04-15
Critical

CVE-2026-6388

A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace bound…

CVSS: 9.1 CWE: CWE-1220 - Insufficient Granularity of Access Control View on NVD
2026-01-27
High

CVE-2026-24748

Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed…

CVSS: 7.2 CWE: CWE-863 - Incorrect Authorization View on NVD
2025-12-15
Critical

CVE-2025-13888

A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in other namespaces, including privileged…

CVSS: 9.1 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
2025-10-01
High

CVE-2025-59538

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username…

CVSS: 7.5 CWE: CWE-248 - Uncaught Exception View on NVD
High

CVE-2025-59537

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to mali…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2025-59531

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to mali…

CVSS: 7.5 CWE: CWE-703 - Improper Check or Handling of Exceptional Conditions View on NVD
2025-09-30
Medium

CVE-2025-55191

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition…

CVSS: 6.5 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2025-09-04
Critical

CVE-2025-55190

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with…

CVSS: 9.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2025-05-29
Critical

CVE-2025-47933

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API.…

CVSS: 9.0 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2025-01-30
Medium

CVE-2025-23216

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kube…

CVSS: 6.8 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2025-01-28
High

CVE-2024-13484

A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a r…

CVSS: 8.2 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
2024-07-24
Medium

CVE-2024-41666

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec.…

CVSS: 4.7 CWE: CWE-269 - Improper Privilege Management View on NVD
2024-07-22
High

CVE-2024-40634

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2024-06-06
Medium

CVE-2024-37152

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authenti…

CVSS: 5.3 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2024-36106

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enume…

CVSS: 4.3 CWE: CWE-209 - Generation of Error Message Containing Sensitive Information View on NVD
2024-05-21
Critical

CVE-2024-31989

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis serve…

CVSS: 9.0 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2024-05-14
Medium

CVE-2024-32476

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service (DoS) vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched i…

CVSS: 6.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2024-04-15
Medium

CVE-2024-31990

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should…

CVSS: 4.8 CWE: CWE-863 - Incorrect Authorization View on NVD
2024-03-29
Medium

CVE-2024-29893

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Serv…

CVSS: 6.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2024-03-18
High

CVE-2024-21662

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by…

CVSS: 7.5 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
High

CVE-2024-21661

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial…

CVSS: 7.5 CWE: CWE-787 - Out-of-bounds Write View on NVD
Critical

CVE-2024-21652

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Servic…

CVSS: 9.8 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
2024-03-13
Critical

CVE-2024-28175

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the applicatio…

CVSS: 9.0 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2023-50726

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-def…

CVSS: 6.4 CWE: CWE-269 - Improper Privilege Management View on NVD
2024-01-19
High

CVE-2024-22424

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15 are vulnerable to a cross-server request forgery (CSRF)…

CVSS: 8.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2023-09-27
Medium

CVE-2023-40026

Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a speci…

CVSS: 5.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2023-09-07
Medium

CVE-2023-40584

Argo CD is a declarative continuous deployment for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack…

CVSS: 6.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Critical

CVE-2023-40029

Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored in`kub…

CVSS: 9.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-08-23
Medium

CVE-2023-40025

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allow…

CVSS: 4.7 CWE: CWE-613 - Insufficient Session Expiration View on NVD
2023-03-27
Medium

CVE-2022-41354

An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications.

CVSS: 4.3 CWE: CWE-203 - Observable Discrepancy View on NVD
2023-02-16
Critical

CVE-2023-23947

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper aut…

CVSS: 9.1 CWE: CWE-863 - Incorrect Authorization View on NVD
2023-02-08
Medium

CVE-2023-25163

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in…

CVSS: 6.3 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2023-01-26
High

CVE-2023-22736

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass…

CVSS: 8.5 CWE: CWE-862 - Missing Authorization View on NVD
Critical

CVE-2023-22482

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper au…

CVSS: 9.0 CWE: CWE-863 - Incorrect Authorization View on NVD
2022-07-12
High

CVE-2022-31105

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation…

CVSS: 8.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
Low

CVE-2022-31102

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with 2.3.0 and prior to 2.3.6 and 2.4.5 is vulnerable to a cross-site scripting (XSS) bug which could allow…

CVSS: 2.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2022-1025

All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level.

CVSS: 8.8 CWE: CWE-284 - Improper Access Control View on NVD
2022-06-27
Medium

CVE-2022-31036

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.3.0 are vulnerable to a symlink following bug allowing a malicious user with reposit…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
Critical

CVE-2022-31035

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to…

CVSS: 9.0 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2022-31034

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the…

CVSS: 8.3 CWE: CWE-330 - Use of Insufficiently Random Values View on NVD
2022-06-25
Medium

CVE-2022-31016

Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to cra…

CVSS: 6.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2022-05-20
Critical

CVE-2022-29165

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and…

CVSS: 10.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2022-24905

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messag…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2022-24904

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and 2.3.4 is vulnerable to a symlink following bug a…

CVSS: 4.3 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
2022-03-23
Critical

CVE-2022-24768

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All unpatched versions of Argo CD starting with 1.0.0 are vulnerable to an improper access control bug, allowing a malicious…

CVSS: 9.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2022-24731

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.5.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal vulnerabil…

CVSS: 6.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2022-24730

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.3.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal bug, compo…

CVSS: 7.7 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2022-02-16
Medium

CVE-2021-3557

A flaw was found in argocd. Any unprivileged user is able to deploy argocd in their namespace and with the created ServiceAccount argocd-argocd-server, the unprivileged user is able to read all resou…

CVSS: 6.5 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2022-02-04
High

CVE-2022-24348

Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. For example, an attacker may be able to discover cr…

CVSS: 7.7 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2021-05-12
Medium

CVE-2021-23135

Exposure of System Data to an Unauthorized Control Sphere vulnerability in web UI of Argo CD allows attacker to cause leaked secret data into web UI error messages and logs. This issue affects Argo C…

CVSS: 5.9 CWE: CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere View on NVD
2021-03-15
Medium

CVE-2021-26924

An issue was discovered in Argo CD before 1.8.4. Browser XSS protection is not activated due to the missing XSS protection header.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2021-26923

An issue was discovered in Argo CD before 1.8.4. Accessing the endpoint /api/version leaks internal information for the system, and this endpoint is not protected with authentication.

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2021-03-03
Medium

CVE-2021-23347

The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a mal…

CVSS: 4.7 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-02-09
Medium

CVE-2021-26921

In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens continue to work even when the user account is disabled.

CVSS: 6.5 CWE: CWE-613 - Insufficient Session Expiration View on NVD
2020-04-08
High

CVE-2020-8828

As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privil…

CVSS: 8.8 CWE: CWE-287 - Improper Authentication View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox