Security Advisories · argoproj/argo-cd · GitHub

Security Advisories

View known security vulnerabilities and report new vulnerabilities privately to maintainers.

Report a vulnerability

Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations
GHSA-rg3g-4rw9-gqrp published May 13, 2026 by crenshaw-dev

Moderate
Stored XSS in application link annotations enables developer-to-admin privilege escalation
GHSA-h98r-wv3h-fr38 published May 13, 2026 by crenshaw-dev

High
Kubernetes Secret Extraction via ArgoCD ServerSideDiff
GHSA-3v3m-wc6v-x4x3 published May 1, 2026 by alexmt

Critical
Project API Token Exposes Repository Credentials
GHSA-786q-9hcg-v9ff published Sep 4, 2025 by crenshaw-dev

Critical
Unauthenticated Remote DoS in Argo CD via malformed Azure DevOps git.push webhook
GHSA-gpx4-37g2-c8pv published Sep 30, 2025 by crenshaw-dev

High
Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload
GHSA-f9gq-prrc-hrhc published Sep 30, 2025 by crenshaw-dev

High
Unauthenticated DoS via malformed Gogs webhook payload
GHSA-wp4p-9pxh-cgx2 published Sep 30, 2025 by crenshaw-dev

High
DoS via credentials updates triggering a race condition that crashes the Argo CD server
GHSA-g88p-r42r-ppp9 published Sep 30, 2025 by crenshaw-dev

Moderate
The Argo CD web terminal session does not handle the revocation of user permissions properly.
GHSA-v8wx-v5jq-qhhw published Jul 24, 2024 by pasha-codefresh

Moderate
Denial of Service via malicious jqPathExpressions in ignoreDifferences
GHSA-9m6p-x4h2-6frq published Apr 26, 2024 by pasha-codefresh

Moderate