CVE-2026-42880

Name of the Vulnerable Software and Affected Versions Argo CD versions 3.2.0 through 3.2.10 Argo CD versions 3.3.0 through 3.3.8

Description A missing authorization and data-masking gap exists in the '/application.ApplicationService/ServerSideDiff' endpoint. This allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. The issue occurs because the ServerSideDiff() function constructs responses using raw, unmasked states. While a defense layer called removeWebhookMutation() typically strips non-Argo CD-managed fields to prevent leaks, this protection is bypassed when an Application has the annotation argocd.argoproj.io/compare-options: IncludeMutationWebhook=true. In such cases, raw responses containing real Secret values are returned without masking.

Recommendations Update Argo CD versions 3.2.0 through 3.2.10 to version 3.2.11. Update Argo CD versions 3.3.0 through 3.3.8 to version 3.3.9. As a temporary mitigation, avoid using the argocd.argoproj.io/compare-options: IncludeMutationWebhook=true annotation on Applications to ensure the removeWebhookMutation() defense remains active.