Vladimir Pouzanov

**Name of the Vulnerable Software and Affected Versions** Argo CD versions 1.8.2 through 2.3.12 Argo CD versions 2.4.0 through 2.4.18 Argo CD versions 2.5.0 through 2.5.5 Argo CD versions 2.6.0-rc0 through 2.6.0-rc2 **Description** The issue is related to an improper authorization bug in Argo CD, causing the API to accept certain invalid tokens. OIDC providers include an `aud` (audience) claim in signed tokens, specifying the intended audience of the token. However, Argo CD does not validate the audience claim, allowing it to accept tokens not intended for Argo CD. If the configured OIDC provider serves other audiences, Argo CD will accept a token intended for one of those other audiences and grant user privileges based on the token's `groups` claim. This bug increases the impact of a stolen token, as an attacker can use a valid token for a different audience to access Argo CD. **Recommendations** For versions 1.8.2 through 2.3.12, update to version 2.3.13 or later. For versions 2.4.0 through 2.4.18, update to version 2.4.19 or later. For versions 2.5.0 through 2.5.5, update to version 2.5.6 or later. For versions 2.6.0-rc0 through 2.6.0-rc2, update to version 2.6.0-rc3 or later. As a temporary workaround, consider configuring the `allowedAudiences` option in the OIDC config block to specify the intended audiences for the token.