{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-42880","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-04-30T18:49:06.711Z","datePublished":"2026-05-07T22:20:39.506Z","dateUpdated":"2026-06-30T12:08:38.032Z"},"containers":{"cna":{"title":"ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction","problemTypes":[{"descriptions":[{"cweId":"CWE-200","lang":"en","description":"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-212","lang":"en","description":"CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":9.6,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3","tags":["x_refsource_CONFIRM"],"url":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3"}],"affected":[{"vendor":"argoproj","product":"argo-cd","versions":[{"version":">= 3.2.0, < 3.2.11","status":"affected"},{"version":">= 3.3.0, < 3.3.9","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-05-07T22:20:39.506Z"},"descriptions":[{"lang":"en","value":"Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9."}],"source":{"advisory":"GHSA-3v3m-wc6v-x4x3","discovery":"UNKNOWN"}},"adp":[{"references":[{"url":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-13T00:00:00+00:00","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3","id":"CVE-2026-42880"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-14T03:56:28.920Z"}},{"affected":[{"cpes":["cpe:/a:redhat:openshift_gitops:1.19::el8"],"defaultStatus":"affected","product":"Red Hat OpenShift GitOps 1.19","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_gitops:1.20::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift GitOps 1.2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_data_foundation:4"],"defaultStatus":"affected","product":"Red Hat Openshift Data Foundation 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_gitops:1"],"defaultStatus":"unaffected","product":"Red Hat OpenShift GitOps","vendor":"Red Hat"}],"datePublic":"2026-05-07T22:20:39.506Z","descriptions":[{"lang":"en","value":"A flaw was found in Argo CD, a GitOps continuous delivery tool for Kubernetes. A missing authorization and data-masking gap in the ServerSideDiff endpoint allows an attacker with read-only access to extract sensitive Kubernetes Secret data. This information disclosure occurs by leveraging the Kubernetes API server's Server-Side Apply dry-run mechanism, potentially exposing critical configuration and credentials."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-201","description":"Insertion of Sensitive Information Into Sent Data","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-42880"},{"name":"RHBZ#2467882","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2467882"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42880.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:20943"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:20947"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHBA-2026:12433"}],"solutions":[{"lang":"en","value":"RHSA-2026:20943: Red Hat OpenShift GitOps 1.19"},{"lang":"en","value":"RHSA-2026:20947: Red Hat OpenShift GitOps 1.2"},{"lang":"en","value":"RHBA-2026:12433: Red Hat OpenShift GitOps 1.2"}],"timeline":[{"lang":"en","time":"2026-05-07T23:00:58.796Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-07T22:20:39.506Z","value":"Made public."}],"title":"argoproj/argo-cd: Argo CD: Information disclosure of Kubernetes Secret data via Server-Side Apply dry-run mechanism","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:08:38.032Z"}}]}}