Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10733

github.com/argoproj/argo-cd/v3 is vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer

Improper Removal of Sensitive Information Before Storage or TransferCVE-2026-43824

77

High Risk

This Affects:

GOgithub.com/argoproj/argo-cd/v3
3.2.0 - 3.2.10
Fixed in 3.2.11
3.3.0 - 3.3.8
Fixed in 3.3.9
Are you affected? Scan for Free

TL;DR

Affected versions of Argo CD contain an authorization and data-masking flaw in the ServerSideDiff endpoint that returns unmasked Kubernetes Secret data. When the IncludeMutationWebhook=true option is set, internal filtering is bypassed and the server-side apply dry-run response exposes plaintext secret values from etcd. An attacker with read-only access can exploit this to retrieve sensitive data such as tokens, credentials, and certificates.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you set IncludeMutationWebhook=true.

Background info

github.com/argoproj/argo-cd/v3 is vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in versions 3.2.0 - 3.2.10 and 3.3.0 - 3.3.8.

How to fix this

Upgrade the github.com/argoproj/argo-cd/v3 library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done