CVE-2026-43824
In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data.
CVSS
7.7
Alto
EPSS
0.2%
p13
KEV
—
Exploit Today
4
0-100
Publicado: 2 may 2026 · Última mod.: 15 jul 2026 · CWE-212 · CWE-312
0.2%EPSS · 30 días0.2%
2026-06-302026-07-17
In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data.
- github.comhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-43824
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2464613
- github.comhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43824.json
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2021-289377.5 ALT89.7%
——27The /password.html page of the Web management interface of the Acexy Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) contains the administrator account password in plaintext. The page can be intercepted on HTTP.9dCVE-2021-426427.5 ALT68.7%
——21PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability that allows an unauthenticated attacker to disclose the plaintext console username and password for a printer.9dCVE-2023-318217.5 ALT47.0%
——14An issue found in ALBIS Co. ALBIS v.13.6.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp ALBIS function.9dCVE-2021-450257.5 ALT42.3%
——13ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to Cleartext Storage of Sensitive Information in a Cookie.9dCVE-2026-428809.6 CRÍ39.8%
——12Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.3dCVE-2026-408957.5 ALT38.7%
——12follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.3d