CVE-2026-42880CRITICAL 9.6EPSS p29.6%

CVE-2026-42880CVE-2026-42880

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.

Scoring

CVSS 3.19.6 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS0.38% probability of exploitation · percentile 29.6% · 2026-06-19T12:03:05Z
Published2026-05-07
Last modified2026-05-11

Underlying weaknesses· 2

CWE-200CWE-212

References

  1. https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3
  2. https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3

2

TypeTargetConfidenceTier
WeaknessExposure of Sensitive Information to an Unauthorized Actorcwe-2000%live
WeaknessImproper Removal of Sensitive Information Before Storage or Transfercwe-2120%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-55190
CVE
CVE-2026-42296
CVE
CVE-2026-31892
CVE
CVE-2026-6388
CVE
CVE-2026-42297
CVE
CVE-2025-13888
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.