Argo CD ServerSideDiff flaw exposed plaintext Kubernetes Secrets
A critical flaw in Argo CD, tracked as CVE-2026-43824, exposed plaintext Kubernetes Secrets to low-privileged authenticated users through the ServerSideDiff endpoint. The vulnerability was caused by missing authorization and secret-masking protections, allowing the endpoint to return raw PredictedLive and NormalizedLive data from the Kubernetes API without applying Argo CD’s normal hideSecretData() masking. As a result, users with application get access could retrieve sensitive values including service account tokens, TLS material, database credentials, and API keys.
The risk was heightened when an Application used the annotation argocd.argoproj.io/compare-options: IncludeMutationWebhook=true, which bypassed an additional sanitization step and made secret extraction especially effective for resources influenced by mutation webhooks. The issue affected Argo CD versions 3.2.0 through 3.3.8, and maintainers released fixes in 3.2.11 and 3.3.9. Administrators were urged to upgrade, tighten RBAC permissions, remove the risky annotation where possible, and review Argo CD API logs for suspicious ServerSideDiff activity.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Public reporting details affected Argo CD versions and mitigations
Public reporting described the vulnerability as affecting Argo CD versions 3.2.0 through 3.3.8 and advised administrators to upgrade to 3.3.9 or 3.2.11. It also recommended restricting RBAC permissions, removing the risky annotation where possible, and monitoring Argo CD API logs for suspicious ServerSideDiff activity.
Argo CD publishes advisory for CVE-2026-43824
A GitHub security advisory disclosed CVE-2026-43824, a missing authorization and secret-masking flaw in Argo CD's ServerSideDiff endpoint that can expose plaintext Kubernetes Secret data to authenticated users. The advisory also described how the IncludeMutationWebhook=true annotation can bypass an additional safeguard and included a proof of concept for secret extraction.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Argo CD's ServerSideDiff Vulnerability Enables Kubernetes Secret Extraction
cybersecuritynews.com
Open sourceKubernetes Secret Extraction via ArgoCD ServerSideDiff · Advisory · argoproj/argo-cd · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


