Cyber Resilience

CVE-2025-55190

CriticalPublic PoC

Published: 04 September 2025

Published
04 September 2025
Modified
19 September 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0538 90.3th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55190 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Argoproj Argo Cd. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

Argo CD is a declarative GitOps continuous delivery tool for Kubernetes. CVE-2025-55190 affects versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12, and 3.1.0-rc1 through 3.1.1. The flaw allows API tokens holding only project-level permissions (or any token with project get access, including global roles such as `p, role/user, projects, get, *, allow`) to read sensitive repository credentials including usernames and passwords by querying the project details API endpoint, despite lacking explicit secret access. The issue is tracked under CWE-200 and carries a CVSS 3.1 score of 9.9.

An attacker in possession of a suitably permissioned Argo CD API token can issue a request to the project details endpoint and obtain repository credentials that should be inaccessible. This enables credential theft that can be used to access connected Git repositories or downstream systems, without requiring UI interaction or elevated privileges beyond the token's project get rights.

The vulnerability is addressed in the fixed releases 2.13.9, 2.14.16, 3.0.14, and 3.1.2. The official advisory and patch commit are published at https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff and https://github.com/argoproj/argo-cd/commit/e8f86101f5378662ae6151ce5c3a76e9141900e8.

EPSS for the CVE rose from a low baseline to a peak of 0.1477 on 2026-02-18 before receding to the current value of 0.0538, indicating a period of increased exploitation interest after disclosure. No confirmed in-the-wild exploitation details are provided in the available references.

EU & UK References

Vulnerability details

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords)…

more

through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Vuln is an authenticated info disclosure in public-facing Argo CD API enabling direct retrieval of repository credentials (T1552 Unsecured Credentials) via exploitation of the exposed endpoint (T1190 Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42880Same product: Argoproj Argo Cd
CVE-2025-26001Shared CWE-200
CVE-2024-48125Shared CWE-200
CVE-2026-32609Shared CWE-200
CVE-2025-62188Shared CWE-200
CVE-2026-25146Shared CWE-200
CVE-2025-68438Shared CWE-200
CVE-2024-56902Shared CWE-200
CVE-2026-28229Same vendor: Argoproj
CVE-2026-4020Shared CWE-200

Affected Assets

argoproj
argo cd
2.2.0 — 2.13.9 · 2.14.0 — 2.14.16 · 3.0.0 — 3.0.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to prevent API tokens with project get permissions from retrieving sensitive repository credentials via the project details endpoint.

prevent

Limits API token privileges to the minimum necessary, reducing risk of low-privilege tokens exploiting the vulnerability to access secrets.

prevent

Mandates timely identification, reporting, and correction of the specific flaw in Argo CD exposing repository credentials.

References