CRITICAL9.9CVE-2025-55190Argo CD: Project API Token Exposes Repository Credentials >= 2.13.0, < 2.13.9, >= 2.14.0, < 2.14.16, >= 3.0.0, < 3.0.14, >= 3.1.0, < 3.1.2
CRITICAL9.9CVE-2023-40029Argo CD cluster secret might leak in cluster details page in github.com/argoproj/argo-cd >= 2.2.0, < 2.6.15, >= 2.7.0, < 2.7.14, >= 2.8.0, < 2.8.3
CRITICAL9.6CVE-2026-42880ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction >= 3.2.0, < 3.2.11, >= 3.3.0, < 3.3.9
CRITICAL9.0Argo CD allows cross-site scripting on repositories page
>= 1.2.0, < 2.13.8, >= 2.14.0, < 2.14.13, >= 3.0.0, < 3.0.4
CRITICAL9.0ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache
from 0, < 2.11.1
CRITICAL9.0Cross-site scripting on application summary component in argo-cd
>= 1.0.0, < 2.10.3
HIGH8.8Argo CD Insecure default administrative password
from 0, < 1.5.0
HIGH7.5Argo CD is Vulnerable to Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook
>= 2.9.0, < 2.14.20, >= 3.0.0, < 3.0.19, >= 3.1.0, < 3.1.8
HIGH7.5argo-cd is vulnerable to unauthenticated DoS attack via malformed Gogs webhook payload
>= 1.2.0, < 2.14.20, >= 3.0.0, < 3.0.19, >= 3.1.0, < 3.1.8
HIGH7.5Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload
>= 1.2.0, < 2.14.20, >= 3.0.0, < 3.0.19, >= 3.1.0, < 3.1.8
HIGH7.5Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint
>= 1.0.0, < 2.11.6
HIGH7.5Argo CD Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment
from 0, < 2.10.4
HIGH7.5As of v1.5.0, the Argo web interface authentication system issued immutable tokens.
from 0, < 1.5.0
HIGH7.5Improper Restriction of Excessive Authentication Attempts in Argo API in github.com/argoproj/argo-cd
from 0, < 1.5.0
MEDIUM6.8Argo CD does not scrub secret values from patch errors
from 0, < 2.13.4
MEDIUM6.5Repository Credentials Race Condition Crashes Argo CD Server
>= 2.1.0, < 2.14.20, >= 3.0.0, < 3.0.19, >= 3.1.0, < 3.1.8
MEDIUM6.5Denial of Service via malicious jqPathExpressions in ignoreDifferences
from 0, < 2.10.8
MEDIUM6.5Uncontrolled Resource Consumption vulnerability in ArgoCD's repo server
>= 2.4.0, < 2.10.5
MEDIUM6.5In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens continue to work even when the user account is disabled.
from 0, < 1.7.12, >= 1.8.0, < 1.8.4
MEDIUM6.5Argo CD repo-server Denial of Service vulnerability in github.com/argoproj/argo-cd
>= 2.4.0, < 2.6.15, >= 2.7.0, < 2.7.14, >= 2.8.0, < 2.8.3
MEDIUM6.4Users with `create` but not `override` privileges can perform local sync in argo-cd
>= 1.2.0, < 2.8.12, >= 2.9.0, < 2.9.8, >= 2.10.0, < 2.10.3
MEDIUM6.3Repository access credential leak in github.com/argoproj/argo-cd/v2
>= 2.6.0, <= 2.6.0, >= 2.6.0-rc1, <= 2.6.0-rc1, >= 2.6.0-rc2, <= 2.6.0-rc2, >= 2.6.0-rc3, <= 2.6.0-rc3, >= 2.6.0-rc4, <= 2.6.0-rc4, >= 2.6.0-rc5, <= 2.6.0-rc5, >= 2.6.0-rc6, <= 2.6.0-rc6, >= 2.6.0-rc7, <= 2.6.0-rc7
MEDIUM5.5Exposure of System Data to an Unauthorized Control Sphere vulnerability in web UI of Argo CD allows attacker to cause leaked secret data in…
>= 1.7.0, < 1.7.14, >= 1.8.0, < 1.8.7
MEDIUM5.4Argo CD vulnerable to Bypassing of Rate Limit and Brute Force Protection Using Cache Overflow
from 0, < 2.10.4
MEDIUM5.4Argo CD vulnerable to Bypassing of Rate Limit and Brute Force Protection Using Cache Overflow
from 0, < 2.10.4
MEDIUM5.3Unauthenticated Access to sensitive settings in Argo CD
>= 2.9.3, < 2.11.3
MEDIUM5.3Observable Discrepancy in Argo in github.com/argoproj/argo-cd
>= 1.5.0, <= 1.5.0
MEDIUM4.8Argo CD' API server does not enforce project sourceNamespaces
>= 2.4.0, < 2.10.7
MEDIUM4.7The Argo CD web terminal session does not handle the revocation of user permissions properly.
>= 2.6.0, < 2.11.7
MEDIUM4.7Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd
from 0, < 1.7.13, >= 1.8.0, < 1.8.6
MEDIUM4.3Argo CD allows authenticated users to enumerate clusters by name
>= 2.10.0, < 2.11.3