{ "threat_severity" : "Important", "public_date" : "2026-05-07T22:20:39Z", "bugzilla" : { "description" : "argoproj/argo-cd: Argo CD: Information disclosure of Kubernetes Secret data via Server-Side Apply dry-run mechanism", "id" : "2467882", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2467882" }, "cvss3" : { "cvss3_base_score" : "7.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-201", "details" : [ "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.", "A flaw was found in Argo CD, a GitOps continuous delivery tool for Kubernetes. A missing authorization and data-masking gap in the ServerSideDiff endpoint allows an attacker with read-only access to extract sensitive Kubernetes Secret data. This information disclosure occurs by leveraging the Kubernetes API server's Server-Side Apply dry-run mechanism, potentially exposing critical configuration and credentials." ], "affected_release" : [ { "product_name" : "Red Hat OpenShift GitOps 1.19", "release_date" : "2026-05-26T00:00:00Z", "advisory" : "RHSA-2026:20943", "cpe" : "cpe:/a:redhat:openshift_gitops:1.19::el8", "package" : "openshift-gitops-1/argocd-image-updater-rhel8:1779211412" }, { "product_name" : "Red Hat OpenShift GitOps 1.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHBA-2026:12433", "cpe" : "cpe:/a:redhat:openshift_gitops:1.20::el9", "package" : "openshift-gitops-1/argocd-rhel9:1776942799" } ], "package_state" : [ { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Affected", "package_name" : "odf4/odf-multicluster-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Not affected", "package_name" : "openshift-gitops-1/argocd-agent-rhel8", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Affected", "package_name" : "openshift-gitops-1/argocd-agent-rhel9", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Affected", "package_name" : "openshift-gitops-1/argocd-image-updater-rhel9", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Not affected", "package_name" : "openshift-gitops-1/argocd-rhel8", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Not affected", "package_name" : "openshift-gitops-1/gitops-rhel8", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Not affected", "package_name" : "openshift-gitops-1/gitops-rhel8-operator", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Not affected", "package_name" : "openshift-gitops-1/gitops-rhel9", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Affected", "package_name" : "openshift-gitops-1/gitops-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift_gitops:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-42880\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42880\nhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3" ], "name" : "CVE-2026-42880", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.", "lang" : "en:us" }, "csaw" : false }