SB2026051897 - Multiple vulnerabilities in Argo CD
Published: May 18, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Improper Removal of Sensitive Information Before Storage or Transfer (CVE-ID: CVE-2026-45737)
CWE-ID: CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper removal of sensitive information before storage or transfer in the ServerSideDiff endpoint when processing application diffs for Secrets containing the kubectl.kubernetes.io/last-applied-configuration annotation. A remote user can view a specially crafted application diff to disclose sensitive information.
Only Secret values embedded in the kubectl.kubernetes.io/last-applied-configuration annotation are exposed, including raw data, stringData, and sensitive annotations from Secrets previously created or updated using client-side apply.
2) Cross-site scripting (CVE-ID: CVE-2026-45738)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in an administrator's session context and escalate privileges.
The vulnerability exists due to cross-site scripting in the application summary URLs section when rendering application link annotations. A remote user can set a crafted link.argocd.argoproj.io/* annotation containing a javascript: URI to execute arbitrary JavaScript in an administrator's session context and escalate privileges.
User interaction is required because a higher-privileged user must click the rendered link in the Summary tab.
Remediation
Install update from vendor's website.