Kubernetes Secret Extraction via ArgoCD ServerSideDiff
A critical vulnerability in Argo CD's ServerSideDiff endpoint allows attackers with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. The issue arises from a missing authorization and data-masking gap when the argocd.argoproj.io/compare-options: IncludeMutationWebhook=true annotation is set. This bypasses the usual defense that strips non-Argo CD-managed fields, exposing real Secret values in API responses.
- ▪The vulnerability affects Argo CD versions 3.2.0 to 3.3.8 and is patched in versions 3.3.9 and 3.2.11.
- ▪Attackers need only read access to exploit this flaw, as all authenticated users are granted access to the ServerSideDiff endpoint by default.
- ▪Secret data can be extracted when non-Argo CD field managers own the Secret fields, allowing real values to persist in dry-run responses.
Opening excerpt (first ~120 words) tap to expand
argoproj / argo-cd Public Notifications You must be signed in to change notification settings Fork 7.1k Star 22.8k Code Issues 3.4k Pull requests 719 Discussions Actions Projects Wiki Security and quality 50 Insights Additional navigation options Code Issues Pull requests Discussions Actions Projects Wiki Security and quality Insights Kubernetes Secret Extraction via ArgoCD ServerSideDiff Critical alexmt published GHSA-3v3m-wc6v-x4x3 May 1, 2026 Package gomod github.com/argoproj/argo-cd/v3 (Go) Affected versions 3.2.0 - 3.3.8 Patched versions 3.3.9, 3.2.11 Description Summary There is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API…
Excerpt limited to ~120 words for fair-use compliance. The full article is at GitHub.