The Digital Security Authority (DSA) wants to bring to your attention a vulnerability affecting Argo CD.
Technical Details
Argo CD is a Kubernetes-native continuous deployment (CD) and GitOps tool.
API tokens (in the versions mentioned below) with project-level permissions can retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets.
This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`.
Affected Versions
- Versions 2.13.0 through 2.13.8
- Versions 2.14.0 through 2.14.15
- Versions 3.0.0 through 3.0.12
- Versions 3.1.0-rc1 through 3.1.1
Recommendations
The Digital Security Authority recommends to to upgrade Argo CD to the corresponding latest version: 2.13.9, 2.14.16, 3.0.14 and 3.1.2.
References
The information presented in this report is based on available data up to the 8th of September 2025.