CVE-2026-45738

Name of the Vulnerable Software and Affected Versions Argo CD versions prior to 3.2.12 Argo CD versions prior to 3.3.10 Argo CD versions prior to 3.4.2

Description A stored cross-site scripting (XSS) issue exists in the application Summary tab. A user with application write access (developer role) can inject JavaScript URIs into link.argocd.argoproj.io/* annotations using a pipe-delimited format (Display Text | javascript:...). Because the software fails to validate these URLs before rendering them as <a> elements, an administrator who clicks the disguised link will execute arbitrary JavaScript within their authenticated session. This can lead to API exfiltration and privilege escalation from a developer to an administrator, potentially allowing full takeover of the GitOps controller and managed Kubernetes workloads. The issue is caused by the lack of URL validation in the ui/src/app/applications/components/application-summary/application-summary.tsx file and the use of React 16.x, which does not block javascript: URIs in href attributes.

Recommendations Upgrade to version 3.2.12. Upgrade to version 3.3.10. Upgrade to version 3.4.2.