CVE-2026-42880

CRITICAL

ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-42880. PoCs published by HAERIN-L.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2026-42880, an information disclosure vulnerability in ArgoCD v3.2.0. The exploit demonstrates how a low-privileged viewer account can leak secret data via the ServerSideDiff gRPC endpoint due to missing hideSecretData() calls.

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.

Exploits (1)

github WORKING POC

by HAERIN-L · shellpoc

https://github.com/HAERIN-L/POC_CVE-2026-42880

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2026-42880, an information disclosure vulnerability in ArgoCD v3.2.0. The exploit demonstrates how a low-privileged viewer account can leak secret data via the ServerSideDiff gRPC endpoint due to missing hideSecretData() calls.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: ArgoCD v3.2.0

Auth required

Prerequisites: ArgoCD v3.2.0 with server-side diff enabled · viewer account with read-only access · Secrets managed by external field managers

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed May 25, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3

Scores

CVSS v3 9.6

EPSS 0.0001

EPSS Percentile 3.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-200 CWE-212

Status published

Products (5)

argoproj/argo-cd 3.2.0 - 3.2.11Go

argoproj/argo-cd 3.3.0 - 3.3.9Go

argoproj/argo-cd >= 3.2.0, < 3.2.11

argoproj/argo-cd >= 3.3.0, < 3.3.9

argoproj/argo_cd 3.2.0 - 3.2.11

Published May 07, 2026

Tracked Since May 08, 2026