CVE-2026-43824

Name of the Vulnerable Software and Affected Versions Argo CD versions 3.2.0 through 3.2.10 Argo CD versions 3.3.0 through 3.3.8

Description The 'ServerSideDiff' endpoint allows the disclosure of cleartext Kubernetes Secret data. This occurs when the IncludeMutationWebhook variable is set to true on an Application. The handler performs a Kubernetes Server-Side Apply (SSA) dry-run, retrieves raw Secret data from etcd, and returns it in the API response without masking or authorization checks beyond basic login authentication. The data is Base64-encoded, which does not provide encryption.

Recommendations Update versions 3.2.0 through 3.2.10 to version 3.2.11. Update versions 3.3.0 through 3.3.8 to version 3.3.9. As a temporary mitigation, ensure the IncludeMutationWebhook variable is set to false or disabled for all Applications.