Critical Argo CD API Flaw Exposes Repository Credentials to Attackers

Cybersecurity

A critical security vulnerability has been identified in Argo CD, an open-source tool widely used for Kubernetes GitOps deployments.

This flaw allows project-level API tokens to inadvertently expose sensitive repository credentials, such as usernames and passwords, to unauthorized parties. The vulnerability has been assigned a CVSS score of 9.8/10 and is cataloged as CVE-2025-55190.

The vulnerability was disclosed on three days ago by a security researcher, crenshaw-dev, in collaboration with other contributors from the community.

Argo CD versions starting from 2.2.0-rc1 are affected. The issue has been resolved in versions v3.1.2, v3.0.14, v2.14.16, and v2.13.9.

Details of the Vulnerability

The vulnerability is located in the Project API endpoint (/api/v1/projects/{project}/detailed). API tokens with project-level permissions can unintentionally access repository credentials, despite not having explicit permissions to view secrets.

This exposure occurs even if the tokens are not explicitly granted permissions to view secrets. Normally, repository credentials should be accessible only to accounts or roles with explicit permissions to manage them.

The vulnerability affects both project-scoped roles and global permissions, as tokens with generic project permissions are equally vulnerable, broadening the attack surface.

A proof-of-concept demonstrated that creating a token with automation roles and calling the project details API can reveal sensitive repository information.

The response includes repository entries containing usernames and passwords in plain text, enabling potential attackers to compromise the system further.

Exploitation of this vulnerability could enable attackers to alter deployments, introduce malicious images, or disrupt the software supply chain. The risk profile is particularly high, as it requires only low privileges and no user interaction.

Patches and Mitigation

The Argo CD team has issued security patches across multiple versions. Users are advised to upgrade to one of the patched versions immediately:

• v3.1.2
• v3.0.14
• v2.14.16
• v2.13.9

Organizations unable to apply the patch immediately should rotate repository credentials and limit access to API tokens until updates are implemented.