Improper access control in Argo CD - CVE-2024-31990
Published: April 15, 2024 / Updated: May 2, 2026
Vulnerability identifier: #VU129003
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-31990
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Argo CD
Argo CD
Software vendor:
Argo
Argo
Description
The vulnerability allows a remote user to modify application resources outside intended project source namespace restrictions.
The vulnerability exists due to improper access control in the Argo CD API server when handling application updates and UI operations for an invalid Application. A remote user can change an Application's project assignment and then use the UI to edit a resource to modify application resources outside intended project source namespace restrictions.
Exploitation requires an Application to be created in one project and later reassigned to another project through kubectl or GitOps-managed changes.
Remediation
Install security update from vendor's website.