CVE-2026-43824 - Vulnerability Details - OpenCVE

In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Argoproj	Argo-cd Argo Cd

No data.

No data.

References

Link	Providers
https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3

History

Mon, 04 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 02 May 2026 10:30:00 +0000

Type	Values Removed	Values Added
Title		Argo CD ServerSideDiff allows cleartext Kubernetes Secret exposure

Sat, 02 May 2026 05:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Argoproj argo-cd
Vendors & Products		Argoproj argo-cd

Sat, 02 May 2026 02:00:00 +0000

Type	Values Removed	Values Added
Description		In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data.
First Time appeared		Argoproj Argoproj argo Cd
Weaknesses		CWE-212
CPEs		cpe:2.3:a:argoproj:argo_cd::::::::
Vendors & Products		Argoproj Argoproj argo Cd
References		https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3
Metrics		cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-02T01:20:33.348Z

Updated: 2026-05-04T13:32:17.895Z

Reserved: 2026-05-02T01:20:32.951Z

Link: CVE-2026-43824

Vulnrichment

Updated: 2026-05-04T13:32:05.704Z

NVD

Status : Received

Published: 2026-05-02T02:16:00.747

Modified: 2026-05-04T14:16:34.533

Link: CVE-2026-43824

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-43824", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-05-02T01:20:32.951Z", "datePublished": "2026-05-02T01:20:33.348Z", "dateUpdated": "2026-05-04T13:32:17.895Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Argo CD", "vendor": "argoproj", "versions": [{"lessThan": "3.2.11", "status": "affected", "version": "3.2.0", "versionType": "semver"}, {"lessThan": "3.3.9", "status": "affected", "version": "3.3.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-212", "description": "CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-05-02T01:42:18.517Z"}, "references": [{"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2.0", "versionEndExcluding": "3.2.11"}, {"vulnerable": true, "criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3.0", "versionEndExcluding": "3.3.9"}]}]}]}, "adp": [{"references": [{"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-04T13:32:13.742342Z", "id": "CVE-2026-43824", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-04T13:32:17.895Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-43824", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-04T13:32:13.742342Z"}}}], "references": [{"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-04T13:32:05.704Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "argoproj", "product": "Argo CD", "versions": [{"status": "affected", "version": "3.2.0", "lessThan": "3.2.11", "versionType": "semver"}, {"status": "affected", "version": "3.3.0", "lessThan": "3.3.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-212", "description": "CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.2.11", "versionStartIncluding": "3.2.0"}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.3.9", "versionStartIncluding": "3.3.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-05-02T01:42:18.517Z"}}}, "cveMetadata": {"cveId": "CVE-2026-43824", "state": "PUBLISHED", "dateUpdated": "2026-05-04T13:32:17.895Z", "dateReserved": "2026-05-02T01:20:32.951Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-05-02T01:20:33.348Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}