Mark Pim

**Name of the Vulnerable Software and Affected Versions** Argo CD versions 1.4.0 through 2.1.14 Argo CD versions 2.2.0 through 2.2.8 Argo CD versions 2.3.0 through 2.3.3 **Description** A critical issue has been discovered in Argo CD that allows unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. This can be exploited if anonymous access to the Argo CD instance is enabled. In a default installation, anonymous access is disabled. The issue can be exploited to escalate privileges, allowing an attacker to gain cluster admin privileges, create, manipulate, and delete resources, and exfiltrate data by deploying malicious workloads with elevated privileges. **Recommendations** For Argo CD versions 1.4.0 through 2.1.14, upgrade to version 2.1.15 or later. For Argo CD versions 2.2.0 through 2.2.8, upgrade to version 2.2.9 or later. For Argo CD versions 2.3.0 through 2.3.3, upgrade to version 2.3.4 or later. As a temporary workaround, consider disabling anonymous access to the Argo CD instance by patching the `argocd-cm` ConfigMap to set `users.anonymous.enabled` to `"false"` or removing this field.