Improper Removal of Sensitive Information Before Storage or Transfer in Argo CD - CVE-2026-45737
Published: May 18, 2026
Vulnerability identifier: #VU131760
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-45737
CWE-ID: CWE-212
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Argo
Affected software:
Argo CD
Argo CD
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper removal of sensitive information before storage or transfer in the ServerSideDiff endpoint when processing application diffs for Secrets containing the kubectl.kubernetes.io/last-applied-configuration annotation. A remote user can view a specially crafted application diff to disclose sensitive information.
Only Secret values embedded in the kubectl.kubernetes.io/last-applied-configuration annotation are exposed, including raw data, stringData, and sensitive annotations from Secrets previously created or updated using client-side apply.
How to mitigate CVE-2026-45737
Install security update from vendor's website.