CVE-2025-55190CRITICAL 9.9EPSS p90.3%

CVE-2025-55190CVE-2025-55190

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.

Scoring

CVSS 3.19.9 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS4.52% probability of exploitation · percentile 90.3% · 2026-06-18T12:00:27Z
Published2025-09-04
Last modified2025-09-19

Underlying weaknesses· 1

CWE-200

References

  1. https://github.com/argoproj/argo-cd/commit/e8f86101f5378662ae6151ce5c3a76e9141900e8
  2. https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff

1

TypeTargetConfidenceTier
WeaknessExposure of Sensitive Information to an Unauthorized Actorcwe-2000%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-42880
CVE
CVE-2026-42296
CVE
CVE-2025-13888
CVE
CVE-2026-42297
CVE
CVE-2025-32445
CVE
CVE-2026-31892
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.