Full Report
An Argo CD vulnerability allows API tokens with even low project-level get permissions to access API endpoints and retrieve all repository credentials associated with the project. [...]
Analysis Summary
# Vulnerability: Max Severity Argo CD API Flaw Leaks Repository Credentials
## CVE Details
- CVE ID: CVE-2025-55190
- CVSS Score: 10.0 (Critical)
- CWE: Not explicitly specified, generally related to Insecure Direct Object Reference (IDOR) or insufficient authorization checks.
## Affected Systems
- Products: Argo CD
- Versions: All versions prior to 2.13.9, 2.14.16, 3.0.14, and 3.1.2.
- Configurations: Any deployment using versions up to 2.13.0 that utilize API tokens with project-level 'get' permissions. This includes global permissions such as `projects, get, *, allow`.
## Vulnerability Description
A critical vulnerability exists in the Argo CD API where tokens possessing only low-level project-level 'get' permissions (or equivalent global permissions) can successfully access the project details API endpoint. This allows the token holder to retrieve all associated sensitive repository credentials, including usernames and passwords, even if the token was not explicitly granted access to secrets. This bypasses existing isolation mechanisms designed to protect credential information associated with projects.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but a Proof of Concept (PoC) is implied via the security bulletin disclosure.
- Complexity: Low (Requires only a valid, low-privileged API token).
- Attack Vector: Network (Requires access to the Argo CD API endpoint).
## Impact
- Confidentiality: High (Sensitive repository credentials (usernames/passwords) are fully exposed).
- Integrity: High (If credentials are stolen, an attacker can inject malicious manifests or alter deployment configurations).
- Availability: Medium (Potential for supply chain attacks or system disruption if pivot occurs).
## Remediation
### Patches
Administrators must upgrade to the following fixed versions:
- Argo CD 3.1.2
- Argo CD 3.1.x (specific version unknown but patched)
- Argo CD 3.0.14
- Argo CD 2.14.16
- Argo CD 2.13.9
### Workarounds
No explicit workarounds were detailed in the summary, but the core requirement is to ensure no tokens possess permissions that allow retrieval of project details unless explicitly required, or to restrict network access to the API endpoints pending patching.
## Detection
- Indicators of compromise: Unauthorized API calls originating from low-privileged tokens attempting to access project details, specifically endpoints related to repository configuration or secrets retrieval.
- Detection methods and tools: Monitoring Argo CD audit logs for suspicious API access patterns by low-privileged service accounts or project tokens.
## References
- Vendor Advisories: [github com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff](https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff)
- Commit Fixing Issue: [github com/argoproj/argo-cd/commit/e8f86101f5378662ae6151ce5c3a76e9141900e8](https://github.com/argoproj/argo-cd/commit/e8f86101f5378662ae6151ce5c3a76e9141900e8)