Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
HighPublic exploit

Argo CD ServerSideDiff cleartext Kubernetes Secret disclosure

IdentifiersCVE-2026-43824CWE-200

CVE-2026-43824 is an information disclosure vulnerability in Argo CD affecting versions 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9. The flaw is in the ServerSideDiff functionality, whose REST and gRPC handlers can return raw Kubernetes resource state without applying Argo CD's normal secret-masking logic. Specifically, the ServerSideDiff path did not invoke the hideSecretData protection used elsewhere to redact sensitive values from Kubernetes Secret objects. Exploitation is particularly effective when applications are configured with the IncludeMutationWebhook=true annotation, because Argo CD then skips the removeWebhookMutation sanitization step that would otherwise strip non-managed fields from the server-side apply dry-run response. Under those conditions, low-privileged authenticated users can trigger ServerSideDiff on managed resources and obtain plaintext Secret values, especially where secret fields are owned by non-Argo CD field managers such as kube-controller-manager or external secrets operators.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation exposes cleartext Kubernetes Secret material from the cluster to low-privileged authenticated Argo CD users. Exposed data may include service account tokens, database credentials, TLS private material, API keys, and other sensitive secrets. This can enable follow-on compromise of workloads, Kubernetes API access, lateral movement, impersonation of services or users, and broader compromise of connected infrastructure depending on the value of the disclosed secrets.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, remove the IncludeMutationWebhook=true annotation from applications where feasible, as this reduces exposure by avoiding the sanitization bypass condition described in the reporting. Tighten Argo CD RBAC to restrict application read access and access to functionality relevant to ServerSideDiff, especially for broadly assigned authenticated-user roles. Monitor Argo CD API logs for anomalous or unauthorized ServerSideDiff requests and review access to clusters and secrets that may have been exposed.

Remediation

Patch, then assume compromise.

Upgrade Argo CD to a fixed release: 3.2.11 or later on the 3.2.x branch, or 3.3.9 or later on the 3.3.x branch. The patched versions add the missing secret-masking behavior to the ServerSideDiff handler. Validate that all Argo CD instances, including HA deployments and secondary environments, are updated consistently.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
ArgoprojArgo-Cdapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity15

Community discussion across Reddit, Mastodon, and other social sources.

Argo CD ServerSideDiff cleartext Kubernetes Secret disclosure (CVE-2026-43824) | Mallory