CVE-2025-55190
Published: 04 September 2025
Summary
CVE-2025-55190 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Argoproj Argo Cd. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
Argo CD is a declarative GitOps continuous delivery tool for Kubernetes. CVE-2025-55190 affects versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12, and 3.1.0-rc1 through 3.1.1. The flaw allows API tokens holding only project-level permissions (or any token with project get access, including global roles such as `p, role/user, projects, get, *, allow`) to read sensitive repository credentials including usernames and passwords by querying the project details API endpoint, despite lacking explicit secret access. The issue is tracked under CWE-200 and carries a CVSS 3.1 score of 9.9.
An attacker in possession of a suitably permissioned Argo CD API token can issue a request to the project details endpoint and obtain repository credentials that should be inaccessible. This enables credential theft that can be used to access connected Git repositories or downstream systems, without requiring UI interaction or elevated privileges beyond the token's project get rights.
The vulnerability is addressed in the fixed releases 2.13.9, 2.14.16, 3.0.14, and 3.1.2. The official advisory and patch commit are published at https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff and https://github.com/argoproj/argo-cd/commit/e8f86101f5378662ae6151ce5c3a76e9141900e8.
EPSS for the CVE rose from a low baseline to a peak of 0.1477 on 2026-02-18 before receding to the current value of 0.0538, indicating a period of increased exploitation interest after disclosure. No confirmed in-the-wild exploitation details are provided in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26875
Vulnerability details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords)…
more
through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln is an authenticated info disclosure in public-facing Argo CD API enabling direct retrieval of repository credentials (T1552 Unsecured Credentials) via exploitation of the exposed endpoint (T1190 Exploit Public-Facing Application).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations to prevent API tokens with project get permissions from retrieving sensitive repository credentials via the project details endpoint.
Limits API token privileges to the minimum necessary, reducing risk of low-privilege tokens exploiting the vulnerability to access secrets.
Mandates timely identification, reporting, and correction of the specific flaw in Argo CD exposing repository credentials.