Back to overview

CVE-2026-45737

MEDIUM Exploitation: PoC
6.3
CVSS 3.1
Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From 3.2.0 until 3.2.12, 3.3.10, and 3.4.2, Argo CD ServerSideDiff can expose Kubernetes Secret values embedded in the kubectl.kubernetes.io/last-applied-configuration annotation because HideSecretData(target, live, ...) does not fully sanitize ResourceDiff.TargetState and LiveState predicted live Secret objects, allowing sensitive data, stringData, and annotations to appear in UI or CLI diffs. This issue is fixed in versions 3.2.12, 3.3.10, and 3.4.2.

Metadata

CVE ID
CVE-2026-45737
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-13 06:54 UTC
Published
2026-07-15 20:00 UTC
Last updated
2026-07-16 19:14 UTC
Primary CWE
CWE-200
CWE-200: Exposure of Sensitive Information to an Unauthorize…
Vendor / Product
argoproj / argo-cd
Sources
cve.org  ·  NVD

Severity & Metrics

6.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
argoproj argo-cd >= 3.2.0, < 3.2.12, >= 3.3.9, < 3.3.10, >= 3.4.1, < 3.4.2
Weakness (CWE)
CWESourceDescription
CWE-200 cna CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-212 cna CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
References (8)
Back to overview