CVE-2026-43824
Published: 02 May 2026
Summary
CVE-2026-43824 is a high-severity Improper Removal of Sensitive Information Before Storage or Transfer (CWE-212) vulnerability in Redhat (inferred from references). Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-43824 is a vulnerability in Argo CD versions 3.2.0 through 3.2.10 and 3.3.0 through 3.3.8, where the ServerSideDiff feature enables reading cleartext Kubernetes Secret data. Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The issue is classified under CWE-212 (Improper Removal of Sensitive Information Before Storage or Transfer) with a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high confidentiality impact across a changed scope.
An attacker with low-privilege access to Argo CD, such as a repository viewer or similar role, can exploit this over the network with low complexity and no user interaction required. By triggering the ServerSideDiff functionality, they can retrieve sensitive Kubernetes Secret data in plaintext, potentially exposing credentials, tokens, or other confidential information managed within the cluster.
The official advisory at https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3 recommends upgrading to Argo CD 3.2.11 or later for the 3.2.x series, or 3.3.9 or later for the 3.3.x series, as these versions address the ServerSideDiff exposure. No workarounds are detailed in the provided information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26726
Vulnerability details
In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows low-privileged attackers to trigger ServerSideDiff in Argo CD and retrieve cleartext Kubernetes Secret data containing credentials/tokens, directly facilitating Unsecured Credentials collection.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of flaws like CVE-2026-43824 through patching Argo CD to eliminate ServerSideDiff exposure of cleartext Kubernetes secrets.
Implements output filtering to remove sensitive information such as plaintext Kubernetes secrets from Argo CD diff responses before delivery to users.
Monitors for information disclosure events, enabling detection of unauthorized access to cleartext secrets via exploitation of the ServerSideDiff feature.