Listen to this Post
CVE-2026-43824 exploits a missing data-masking and authorization flaw in the Argo CD `ServerSideDiff` endpoint. While other endpoints like `GetManifests` and `PatchResource` use `hideSecretData()` to mask Kubernetes Secret values, the `ServerSideDiff` gRPC/REST endpoint does not, constructing its response with raw, unmasked states (PredictedLive and NormalizedLive). Every authenticated user automatically has `get` access to this endpoint via the default RBAC policy(Read-only access). A secondary defense layer, removeWebhookMutation(), normally strips non-managed fields from the Server-Side Apply (SSA) dry-run response to prevent secret leaks. However, this defense is entirely bypassed when the application’s annotation includes argocd.argoproj.io/compare-options: IncludeMutationWebhook=true. Removing this annotation (=true) disables the internal filter, allowing the raw Kubernetes API dry-run response (which contains real secret values from etcd) to flow directly to the user. The handler triggers kubectl apply --server-side --dry-run=server, and extraction succeeds only if the secret’s data fields have a second field manager (like kube-controller-manager) to retain ownership during garbage collection. A proof-of-concept using GRPC-web framing automates this for secrets (Opaque, TLS, etc.). Versions 3.2.0 through 3.3.8 are vulnerable.
dailycve form
Platform: Argo CD
Version: 3.2.0-3.3.8
Vulnerability: Secret data leak
Severity: Critical (9.6)
date: 2026-05-02
Prediction: Patch 2026-05-02
What Undercode Say:
Detect vulnerable Argo CD version
kubectl get deployment argocd-server -n argocd -o jsonpath='{.spec.template.spec.containers[bash].image}'
Verify if IncludeMutationWebhook is enabled
kubectl get applications -A -o json | jq '.items[] | select(.metadata.annotations."argocd.argoproj.io/compare-options" == "IncludeMutationWebhook=true") | .metadata.name'
Exploit:
python3 poc.py argocd.int.corp.com 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9...' my-app my-project
The script lists managed secrets, constructs minimal target manifests, calls the `ServerSideDiff` endpoint via gRPC, e.g., decoding varint fields to extract unmasked secret data.
Protection from this CVE:
- Upgrade Argo CD to patched versions 3.3.9 or 3.2.11.
- Remove `IncludeMutationWebhook=true` annotation from all applications.
- Adjust RBAC policies to limit `get` access to applications.
Impact:
Any user with Argo CD application `get` permissions can extract real Kubernetes Secret values (service account tokens, TLS certs, database credentials).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
