Vulnerability Report

CVE-2026-42880

Title: Sensitive Data Exposure in Argo CD

Information Disclosure

Proof Of Concept

PoC Available for CVE-2026-42880

CWE Category CWE-200

Published Date May 07, 2026

Modified Date May 11, 2026

Exploit Status Available

Score 9.6 CVSS v3.1

Exploit Probability (EPSS)

0.38%

Vulnerability Summary

CVE-2026-42880: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.

Impacted Vendors

argoproj 1

Reference Links

https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3 https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3

CVSS v3.1

Source Entity [email protected]

Severity CRITICAL

9.6

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

CHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2026-42880 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/HAERIN-L/POC_CVE-2026-42880

View Code

May 11, 2026 MODIFIED

Vulnerability data updated via NVD.

May 08, 2026 MODIFIED

Vulnerability data updated via NVD.

May 08, 2026 MODIFIED

Vulnerability data updated via NVD.

May 08, 2026 MODIFIED

Vulnerability data updated via NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity LOW

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Affected Stack

No specific products linked.