Critical Argo CD API Flaw Exposes Repository Credentials

A critical security vulnerability has been discovered in Argo CD, the popular GitOps continuous delivery platform for Kubernetes, allowing API tokens with basic project permissions to access sensitive repository credentials, including usernames and passwords.

The vulnerability exploits the project details API endpoint (/api/v1/projects/{project}/detailed) where API tokens with standard application management permissions can retrieve repository credentials without requiring explicit access to secrets.

The vulnerability, designated as GHSA-786q-9hcg-v9ff, was disclosed by security researcher Michael Crenshaw and affects all Argo CD versions from 2.2.0-rc1 onwards.

This represents a significant privilege escalation issue, as tokens intended for routine application operations gain unauthorized access to sensitive authentication data.

The flaw affects not only project-level permissions but also extends to any token with project get permissions, including global permissions such as p, role/user, projects, get, *, allow.

This broad scope significantly amplifies the potential impact across enterprise Argo CD deployments where multiple teams and automated systems rely on scoped API tokens for GitOps operations.

Technical Impact and Exploitation Details

The vulnerability manifests when API tokens with seemingly benign permissions like application synchronization and retrieval, can access the detailed project endpoint.

A typical exploitation scenario involves a token configured with basic project permissions executing a simple HTTP GET request to the vulnerable endpoint, which then returns a JSON response containing plaintext repository credentials.

The security researcher demonstrated the vulnerability using a token with standard permissions, including applications, sync, applications, action, and applications, get.

When this token queries the project details API, the response inappropriately includes a repositories array containing sensitive credential information such as usernames, passwords, repository types, and associated project names.

This represents a fundamental breakdown in the principle of least privilege, where authentication tokens gain access to data far beyond their intended scope.

In enterprise environments where Argo CD manages hundreds of applications across multiple repositories, this vulnerability could expose critical infrastructure credentials to unauthorized parties.

Organizations using Argo CD should immediately upgrade to the patched versions and audit their API token permissions.

The vulnerability underscores the importance of implementing proper access controls and regular security assessments in GitOps infrastructure, particularly as these systems often serve as central orchestration points for entire application deployment pipelines.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates