A critical authorization vulnerability in Argo CD allows attackers with read-only access to extract sensitive Kubernetes Secret data, requiring immediate patching.

The ServerSideDiff endpoint fails to properly mask sensitive data during dry-run operations, allowing unauthorized extraction of plaintext Kubernetes Secrets.

With a CVSS score of 9.6, this vulnerability is severe as it directly leads to the compromise of sensitive credentials stored within the Kubernetes cluster. This can facilitate lateral movement and further exploitation of the entire infrastructure.

Immediate Action: Upgrade to Argo CD versions 3.2.11 or 3.3.9 or later.

Proactive Monitoring: Review audit logs for unusual access to the ServerSideDiff endpoint and check for unexpected secret access patterns.

Compensating Controls: Limit access to the Argo CD API to authorized users only and implement strict RBAC policies within the Kubernetes cluster.

Public Exploit Available: No

Upgrade to the patched versions immediately. Audit all Kubernetes Secrets currently managed by Argo CD to determine if they have been exposed and rotate any potentially compromised credentials.