ArgoCD diff leaks K8s secret data (CVE-2026-43824)
CVE-2026-43824
CVE-2026-43824: Argo CD 3.2.x/3.3.x ServerSideDiff leaks cleartext Kubernetes Secrets (CVSS 7.7). Update to 3.2.11 or 3.3.9 to block exposure.
Vendor-confirmed - CVE-2026-43824 is a high-severity information disclosure vulnerability in Argo CD 3.2.0-3.2.10 and 3.3.0-3.3.8 that exposes cleartext Kubernetes Secret data via the ServerSideDiff feature. Patched in versions 3.2.11 and 3.3.9 - update immediately.
Overview
Argo CD’s ServerSideDiff feature, which visualises resource differences between desired and live cluster states, fails to redact sensitive data from Kubernetes Secrets. An attacker with low-level authenticated access can exploit this flaw to read Secret values in cleartext, bypassing the expected masking that normally protects such data in the UI and API responses.
The vulnerability exists in the comparison logic where Secrets are diffed without stripping their data and stringData fields. This allows any user who can trigger a diff operation to see the full contents of any Secret managed by Argo CD.
Impact
| Detail | Value |
|---|---|
| CVSS Score | 7.7 |
| Attack Vector | Network |
| Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
An authenticated attacker with read access to Argo CD applications can enumerate and view all Secret data across the cluster. This includes database credentials, API keys, TLS certificates, and any other sensitive values stored as Secrets. The exposure is immediate and does not require chaining with additional vulnerabilities.
Affected Versions
Argo CD 3.2.x: Versions 3.2.0 through 3.2.10 Argo CD 3.3.x: Versions 3.3.0 through 3.3.8
Remediation
- Immediate upgrade to Argo CD 3.2.11 or 3.3.9
- If immediate upgrade is not possible, restrict access to Argo CD diff operations to only trusted administrators
- Review audit logs for any unexpected or suspicious diff requests that may indicate exploitation attempts
- Rotate all credentials exposed through Secrets that were viewable during the vulnerable window
No vendor-provided workaround is available; the fix modifies the core diff rendering logic to properly mask Secret fields.
Security Insight
This vulnerability highlights a recurring pattern in DevOps tools that expose sensitive data through “developer-friendly” preview features. The ServerSideDiff feature prioritised operational visibility over security boundaries, treating Secret masking as a UI convenience rather than a security control. Organisations should treat any feature that displays raw configuration data as a potential information disclosure vector and apply the principle of least privilege to its access controls. For broader context on configuration management risks, see our security news coverage and breach reports database.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running Clou...
Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: H...
A vulnerability in the CLI of Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBo...
SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure custom...