{"id":"CVE-2026-42880","summary":"ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction","details":"Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.","aliases":["BIT-argo-cd-2026-42880","CVE-2026-43824","GHSA-3v3m-wc6v-x4x3","GO-2026-5099"],"modified":"2026-06-25T18:56:33.406946711Z","published":"2026-05-07T22:20:39.506Z","related":["CGA-2mjh-4vq8-rqg6"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42880.json","cwe_ids":["CWE-200","CWE-212"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42880.json"},{"type":"ADVISORY","url":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42880"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/argoproj/argo-cd","events":[{"introduced":"66b2f302d91a42cc151808da0eec0846bbe1062c"},{"fixed":"6d66c1b29e4f25dccfb5b0c7a939785b0071ef9a"},{"introduced":"fd6b7d5b3cba5e7aa7ad400b0fb905a81018a77b"},{"fixed":"1b1bb48f981385cf40b282e965cf63419be3d93f"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"3.2.0"},{"fixed":"3.2.11"},{"introduced":"3.3.0"},{"fixed":"3.3.9"}],"cpe":"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*"}}],"versions":["v3.2.10","v3.3.8","v3.3.7","v3.2.9","v3.2.8","v3.3.6","v3.3.5","v3.3.4","v3.3.3","v3.3.2","v3.2.7","v3.3.1","v3.2.6","v3.3.0","v3.2.5","v3.2.4","v3.2.3","v3.2.2","v3.2.1","v3.2.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42880.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"}]}