Critical Argo CD API Flaw Exposes Repository Credentials to Attackers
gbhackersA major security flaw has been discovered in Argo CD, a popular open-source tool used for Kubernetes GitOps deployments.
The vulnerability allows project-level API tokens to expose sensitive repository credentials, such as usernames and passwords, to attackers. The issue has been classified as critical with a CVSS score of 9.8/10 and is tracked as CVE-2025-55190.
The flaw was publicly disclosed three days ago by security researcher crenshaw-dev, who coordinated the report along with other community contributors.
The vulnerability affects Argo CD versions starting from 2.2.0-rc1 and has now been patched in versions v3.1.2, v3.0.14, v2.14.16, and v2.13.9.
Details of the Vulnerability
The flaw exists in the Project API endpoint (/api/v1/projects/{project}/detailed). API tokens with project-level permissions, such as those typically used for synchronization or automation tasks, can unintentionally access repository credentials.
| CVE ID | CVE-2025-55190 |
| Title ... |
Copyright of this story solely belongs to gbhackers . To see the full text click HERE