Home / Vulnerability Intelligence / CVE-2026-42880

CVE-2026-42880 - Vulnerability Analysis

CriticalCVSS: 9.6

Last Updated: May 8, 2026

Argo CD - Broken Access Control

Published: May 7, 2026Updated: May 8, 2026Remote Exploitable

Overview

Argo CD 3.2.0 < versions < 3.2.11 and 3.3.0 < versions < 3.3.9 contain a broken access control caused by missing authorization and data masking in ServerSideDiff endpoint, letting attackers with read-only access extract plaintext Kubernetes Secret data, exploit requires read-only access.

Severity & Score

Severity: Critical

CVSS Score: 9.6

Impact

Attackers with read-only access can extract plaintext Kubernetes Secret data, leading to sensitive information disclosure.

Mitigation

Update to versions 3.2.11 or 3.3.9 or later.

References

https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3

Related Resources

Details

CVE ID: CVE-2026-42880
Severity: Critical
CVSS Score: 9.6
Type: broken_access_control
Status: unconfirmed

CWE

CWE-200

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N