CVE-2026-42880: ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction

May 7, 2026

There is a missing authorization and data-masking gap in Argo CD’s ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server’s Server-Side Apply dry-run mechanism.

References

github.com/advisories/GHSA-3v3m-wc6v-x4x3
github.com/argoproj/argo-cd
github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3
nvd.nist.gov/vuln/detail/CVE-2026-42880

Code Behaviors & Features

Detect and mitigate CVE-2026-42880 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →