Zhlu32

**Name of the Vulnerable Software and Affected Versions** Argo CD versions 2.6.0 through 2.6.13 Argo CD versions 2.7.0 through 2.7.11 Argo CD versions 2.8.0 **Description** Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The issue arises from open web terminal sessions not expiring, allowing users to send any websocket messages even if the token has already expired. This can lead to users viewing sensitive information even after they should have been logged out. **Recommendations** For Argo CD versions 2.6.0 through 2.6.13, update to version 2.6.14. For Argo CD versions 2.7.0 through 2.7.11, update to version 2.7.12. For Argo CD version 2.8.0, update to version 2.8.1. As a temporary workaround, consider disabling the web-based terminal or defining RBAC rules to it.