Argo Cd · Argo Cd · CVE-2026-42880
**Name of the Vulnerable Software and Affected Versions**
Argo CD versions 3.2.0 through 3.2.10
Argo CD versions 3.3.0 through 3.3.8
**Description**
A missing authorization and data-masking gap exists in the '/application.ApplicationService/ServerSideDiff' endpoint. This allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. The issue occurs because the `ServerSideDiff()` function constructs responses using raw, unmasked states. While a defense layer called `removeWebhookMutation()` typically strips non-Argo CD-managed fields to prevent leaks, this protection is bypassed when an Application has the annotation `argocd.argoproj.io/compare-options: IncludeMutationWebhook=true`. In such cases, raw responses containing real Secret values are returned without masking.
**Recommendations**
Update Argo CD versions 3.2.0 through 3.2.10 to version 3.2.11.
Update Argo CD versions 3.3.0 through 3.3.8 to version 3.3.9.
As a temporary mitigation, avoid using the `argocd.argoproj.io/compare-options: IncludeMutationWebhook=true` annotation on Applications to ensure the `removeWebhookMutation()` defense remains active.