Description
As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be kept secret and could wind up just about anywhere.
Scores
CVSS v3
8.8
EPSS
0.0043
EPSS Percentile
62.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
CWE-1188
Status
published
Products (2)
argoproj/argo-cd
0Go
argoproj/argo_cd
< 1.5.0
Published
Apr 08, 2020
Tracked Since
Feb 18, 2026