Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
cloud-service-vulnerabilitywidely-deployed-product-advisoryleaked-secret-api-keyidentity-authentication-vulnerability

Argo CD ServerSideDiff flaw exposed plaintext Kubernetes Secrets

Updated 3d agoFirst seen May 6, 20262 sources

A critical flaw in Argo CD, tracked as CVE-2026-43824, exposed plaintext Kubernetes Secrets to low-privileged authenticated users through the ServerSideDiff endpoint. The vulnerability was caused by missing authorization and secret-masking protections, allowing the endpoint to return raw PredictedLive and NormalizedLive data from the Kubernetes API without applying Argo CD’s normal hideSecretData() masking. As a result, users with application get access could retrieve sensitive values including service account tokens, TLS material, database credentials, and API keys.

The risk was heightened when an Application used the annotation argocd.argoproj.io/compare-options: IncludeMutationWebhook=true, which bypassed an additional sanitization step and made secret extraction especially effective for resources influenced by mutation webhooks. The issue affected Argo CD versions 3.2.0 through 3.3.8, and maintainers released fixes in 3.2.11 and 3.3.9. Administrators were urged to upgrade, tighten RBAC permissions, remove the risky annotation where possible, and review Argo CD API logs for suspicious ServerSideDiff activity.

Share:
Argo CD ServerSideDiff flaw exposed plaintext Kubernetes Secrets
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

2 events from the most recent confirmed update back to the earliest known activity.

2 EVENTS
May 6, 20262mo ago

Public reporting details affected Argo CD versions and mitigations

Public reporting described the vulnerability as affecting Argo CD versions 3.2.0 through 3.3.8 and advised administrators to upgrade to 3.3.9 or 3.2.11. It also recommended restricting RBAC permissions, removing the risky annotation where possible, and monitoring Argo CD API logs for suspicious ServerSideDiff activity.

Argo CD's ServerSideDiff Vulnerability Enables Kubernetes Secret Extraction
May 1, 20262mo ago

Argo CD publishes advisory for CVE-2026-43824

A GitHub security advisory disclosed CVE-2026-43824, a missing authorization and secret-masking flaw in Argo CD's ServerSideDiff endpoint that can expose plaintext Kubernetes Secret data to authenticated users. The advisory also described how the IncludeMutationWebhook=true annotation can bypass an additional safeguard and included a proof of concept for secret extraction.

Kubernetes Secret Extraction via ArgoCD ServerSideDiff · Advisory · argoproj/argo-cd · GitHub
LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

7 LINKEDOpen in app
Affected products
1 linked
Kubernetes
Organizations
5 linked
LinkedinXGoogleDevorialesJuliet Security
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.