CVE-2026-43824

High

Published: 02 May 2026

Published

02 May 2026

Modified

05 May 2026

KEV Added

—

Patch

—

CVSS Score 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.0001 2.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-43824 is a high-severity Improper Removal of Sensitive Information Before Storage or Transfer (CWE-212) vulnerability. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 2.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unsecured Credentials (T1552). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of flaws like CVE-2026-43824 through patching Argo CD to eliminate ServerSideDiff exposure of cleartext Kubernetes secrets.

SI-15 Information Output Filtering good match

prevent

Implements output filtering to remove sensitive information such as plaintext Kubernetes secrets from Argo CD diff responses before delivery to users.

AU-13 Monitoring for Information Disclosure partial match

detect

Monitors for information disclosure events, enabling detection of unauthorized access to cleartext secrets via exploitation of the ServerSideDiff feature.

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access

Adversaries may search compromised systems to find and obtain insecurely stored credentials.

attack.mitre.org →

Why these techniques?

The vulnerability allows low-privileged attackers to trigger ServerSideDiff in Argo CD and retrieve cleartext Kubernetes Secret data containing credentials/tokens, directly facilitating Unsecured Credentials collection.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data.

Deeper analysisAI

CVE-2026-43824 is a vulnerability in Argo CD versions 3.2.0 through 3.2.10 and 3.3.0 through 3.3.8, where the ServerSideDiff feature enables reading cleartext Kubernetes Secret data. Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The issue is classified under CWE-212 (Improper Removal of Sensitive Information Before Storage or Transfer) with a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high confidentiality impact across a changed scope.

An attacker with low-privilege access to Argo CD, such as a repository viewer or similar role, can exploit this over the network with low complexity and no user interaction required. By triggering the ServerSideDiff functionality, they can retrieve sensitive Kubernetes Secret data in plaintext, potentially exposing credentials, tokens, or other confidential information managed within the cluster.

The official advisory at https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3 recommends upgrading to Argo CD 3.2.11 or later for the 3.2.x series, or 3.3.9 or later for the 3.3.x series, as these versions address the ServerSideDiff exposure. No workarounds are detailed in the provided information.

Details

CWE(s): CWE-212

CVEs Like This One

CVE-2026-27640Shared CWE-212

CVE-2024-8474Shared CWE-212

CVE-2024-43384Shared CWE-212

CVE-2026-32891Shared CWE-212

CVE-2026-42880Shared CWE-212

CVE-2026-34214Shared CWE-212

References

https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3
cve@mitre.org
https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3
134c704f-9b21-4f2e-91b3-4a467353bcc0