Argo CD
Moderate fix4 remedies
cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*
Moderate fix4 remedies
- >= 2.13.0, <= 2.13.8
- >= 2.14.0, <= 2.14.15
- >= 3.0.0, <= 3.0.12
- >= 3.1.0-rc1, <= 3.1.1
Argo CD Project API Token Vulnerability Exposes Sensitive Repository Credentials
Vulnerability
Patched
A vulnerability exists in Argo CD versions 2.13.0 prior to 2.13.9, 2.14.0 prior to 2.14.16, 3.0.0 prior to 3.0.14, and 3.1.0-rc1 prior to 3.1.2. API tokens with project-level permissions can access sensitive repository credentials, including usernames and passwords, through the project details API endpoint. This occurs even when the token only has standard application management permissions and no explicit access to secrets. The vulnerability also affects any token with project get permissions, including certain global permissions.
Impact
Exploitation of this vulnerability allows unauthorized access to sensitive repository credentials, which could be misused to access or manipulate repository contents or configurations.
Reproduction
To reproduce this vulnerability, create an API token with project-level permissions that include 'get' access to the project. Then, call the project details API for the affected project. The response will include sensitive repository credentials associated with the project.
Remediation
Users can upgrade to Argo CD versions 2.13.9, 2.14.16, 3.0.14, or 3.1.2 to address this vulnerability.
Added: Sep 4, 2025, 11:23 PM
Updated: Sep 4, 2025, 11:23 PM
Vulnerability Rating
Custom Algorithm
spread
3.1impact
2.5exploitability
6.6remediation
7.7relevance
0.5threat
6.5urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.