Executive Summary
A high-severity information disclosure vulnerability (CVE-2026-43824, CVSS 7.7) has been identified in Argo CD, the widely used GitOps continuous delivery tool for Kubernetes. The flaw resides in the ServerSideDiff feature and allows authenticated users with sufficient permissions to read Kubernetes Secret data in cleartext.
Affected versions span the 3.2.x series (3.2.0 through 3.2.10) and the 3.3.x series (3.3.0 through 3.3.8). Patches are available in Argo CD 3.2.11 and 3.3.9.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-43824 |
| CVSS Score | 7.7 (High) |
| CWE | CWE-312 — Cleartext Storage of Sensitive Information |
| Type | Information Disclosure |
| Attack Vector | Network |
| Privileges Required | Low (authenticated) |
| User Interaction | None |
| Patch Available | Yes — upgrade to 3.2.11 or 3.3.9 |
Affected Products
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Argo CD | 3.2.0 – 3.2.10 | 3.2.11 |
| Argo CD | 3.3.0 – 3.3.8 | 3.3.9 |
Technical Analysis
What is ServerSideDiff?
Argo CD's ServerSideDiff is a feature that computes resource diffs using a server-side apply dry-run against the Kubernetes API server, rather than computing the diff locally within the Argo CD controller. This approach gives more accurate diffs for resources with defaulted or mutated fields.
When ServerSideDiff is enabled, Argo CD submits resources — including Kubernetes Secrets — to the Kubernetes API server using a dry-run apply. The API server's response includes the resource in its cleartext form, meaning the Secret values are returned in their raw, decoded state rather than in their base64-encoded storage form.
Root Cause
The vulnerability arises because Argo CD does not adequately redact or mask Secret values when processing the ServerSideDiff response. A user with access to Argo CD's diff output — whether through the UI, API, or CLI — can view the contents of any Kubernetes Secret managed by the affected application.
Exploitation Conditions
- Target must be running an affected version of Argo CD (3.2.0–3.2.10 or 3.3.0–3.3.8)
- Attacker requires authenticated access to Argo CD with at minimum read or sync permissions on a target application
- The application must include resources of type
Secret - ServerSideDiff must be enabled (note: it may be enabled by default in some configurations)
Attack Flow
1. Attacker authenticates to Argo CD with low-privilege credentials
2. Attacker opens or triggers a diff for any application containing Kubernetes Secrets
3. ServerSideDiff submits the Secret to the Kubernetes API server via dry-run apply
4. API server returns the Secret with cleartext (decoded) values
5. Argo CD displays or exposes the diff output — including cleartext Secret values
6. Attacker reads database passwords, API keys, TLS private keys, tokens, etc.Impact Assessment
Kubernetes Secrets are base64-encoded at rest by default (not encrypted unless Envelope Encryption is configured). While base64 is trivially reversible, the real risk posed by CVE-2026-43824 is that Argo CD's diff display presents secret values in an already-decoded, cleartext form — making them immediately readable without any additional decoding step.
| Impact Area | Description |
|---|---|
| Credential Exposure | Database passwords, API keys, OAuth tokens in Secrets are exposed |
| TLS Key Disclosure | Private keys stored as Secrets may be readable |
| Service Account Tokens | Kubernetes service account tokens can be extracted |
| Third-Party Integrations | Webhook secrets, cloud provider credentials compromised |
| Lateral Movement | Leaked credentials may enable access to downstream infrastructure |
The severity is amplified in environments where:
- RBAC grants broad Argo CD application access to many users
- Secrets contain sensitive credentials (cloud IAM, database, TLS)
- Argo CD manages secrets via tools like External Secrets Operator or Sealed Secrets
Immediate Remediation
Step 1: Upgrade Argo CD
# Check current version
argocd version --client
# Upgrade via Helm
helm upgrade argocd argo/argo-cd \
--namespace argocd \
--reuse-values \
--version 3.2.11 # or 3.3.9 for the 3.3.x track
# Upgrade via kubectl (replace the version tag)
kubectl apply -n argocd -f \
https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.11/manifests/install.yamlStep 2: Disable ServerSideDiff as a Temporary Mitigation
If immediate upgrade is not possible, disable ServerSideDiff:
# In argocd-cm ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
data:
# Disable server-side diff globally
application.resourceTrackingMethod: annotation
# Or disable per-application in the Application spec:
# spec.syncPolicy.syncOptions:
# - ServerSideDiff=falseStep 3: Audit Access Logs
Review who has accessed application diffs since the affected versions were deployed:
# Check Argo CD audit logs for diff access
kubectl logs -n argocd -l app.kubernetes.io/name=argocd-server \
--since=720h | grep -i "diff\|sync\|refresh" | grep -v "200 OK"
# List all users and their last activity
argocd account listStep 4: Rotate Potentially Exposed Secrets
If ServerSideDiff was enabled on applications containing sensitive Secrets, rotate all credentials:
# List all Secrets managed by Argo CD applications
kubectl get secrets -A -o json | \
jq '.items[] | select(.metadata.annotations["argocd.argoproj.io/managed-by"] != null) |
.metadata.namespace + "/" + .metadata.name'
# Rotate each identified Secret and update downstream consumersDetection
| Indicator | Description |
|---|---|
| Argo CD version 3.2.0–3.2.10 or 3.3.0–3.3.8 in use | Vulnerable deployment identified |
server-side-apply dry-run requests in Kubernetes audit logs | ServerSideDiff activity |
| Unusual access to Argo CD diff/refresh endpoints from unexpected users | Potential exploitation attempt |
| Argo CD access logs showing diff views by low-privilege accounts | Suspicious information access |
Post-Remediation Checklist
- Upgrade Argo CD to 3.2.11+ or 3.3.9+
- Verify the patched version is running across all Argo CD instances
- Rotate all Kubernetes Secrets in applications where ServerSideDiff was enabled
- Review Argo CD RBAC policies — limit diff/sync access to minimum necessary users
- Enable Kubernetes Envelope Encryption for Secrets at rest
- Audit Argo CD access logs for evidence of Secret disclosure
- Consider migrating to External Secrets Operator or Sealed Secrets to avoid storing raw secrets in Git or Argo CD