{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/secret-extraction/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["argo-cd"],"_cs_severities":["critical"],"_cs_tags":["argocd","secret-extraction","kubernetes","credential-access"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eA vulnerability exists in Argo CD\u0026rsquo;s ServerSideDiff endpoint that allows for the extraction of plaintext Kubernetes Secret data. The vulnerability stems from a missing authorization and data-masking gap in the \u003ccode\u003e/application.ApplicationService/ServerSideDiff\u003c/code\u003e endpoint. This allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server\u0026rsquo;s Server-Side Apply dry-run mechanism. The issue affects Argo CD versions v3.2.0 through v3.2.10 and v3.3.0 through v3.3.8. Exploitation is possible by any user with Argo CD application get permissions, potentially exposing sensitive information such as service account tokens, TLS certificates, database credentials, and API keys. The impact is heightened when the \u003ccode\u003eIncludeMutationWebhook=true\u003c/code\u003e annotation is set on Applications, as this bypasses a defense layer and makes exploitation easier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to Argo CD with read-only access or leverages existing access.\u003c/li\u003e\n\u003cli\u003eAttacker identifies an Argo CD Application with the \u003ccode\u003eargocd.argoproj.io/compare-options: IncludeMutationWebhook=true\u003c/code\u003e annotation.\u003c/li\u003e\n\u003cli\u003eAttacker identifies Kubernetes Secrets managed by Argo CD within the targeted Application.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious request to the \u003ccode\u003e/application.ApplicationService/ServerSideDiff\u003c/code\u003e endpoint, targeting the identified Secret.  The request simulates a server-side dry-run apply operation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eServerSideDiff\u003c/code\u003e function, due to the \u003ccode\u003eIncludeMutationWebhook=true\u003c/code\u003e setting, skips the \u003ccode\u003eremoveWebhookMutation()\u003c/code\u003e defense, which would normally mask sensitive data.\u003c/li\u003e\n\u003cli\u003eThe Kubernetes API server processes the dry-run request, retrieving the unmasked Secret data from etcd.\u003c/li\u003e\n\u003cli\u003eThe raw, unmasked Secret data is included in the API response to the attacker.\u003c/li\u003e\n\u003cli\u003eAttacker parses the response, extracts the plaintext Secret data, and uses it for unauthorized access or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows any user with Argo CD application get permissions to extract real Kubernetes Secret values. This can lead to the exposure of sensitive data, including service account tokens, TLS certificates, database credentials, and API keys. Depending on the permissions associated with the compromised secrets, attackers can gain unauthorized access to other systems, escalate privileges, or perform lateral movement within the Kubernetes cluster. The vulnerability affects Argo CD versions between 3.2.0 and 3.2.11 and between 3.3.0 and 3.3.9.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Argo CD to version v3.2.11 or v3.3.9 or later to patch CVE-2026-42880.\u003c/li\u003e\n\u003cli\u003eReview Argo CD Applications for the presence of the \u003ccode\u003eargocd.argoproj.io/compare-options: IncludeMutationWebhook=true\u003c/code\u003e annotation and remove it where not strictly necessary.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect ArgoCD ServerSideDiff Secret Extraction Attempt\u003c/code\u003e to detect suspicious requests to the \u003ccode\u003e/application.ApplicationService/ServerSideDiff\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor Argo CD logs for unusual activity related to the \u003ccode\u003eServerSideDiff\u003c/code\u003e function.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T01:56:53Z","date_published":"2026-05-07T01:56:53Z","id":"/briefs/2024-01-argocd-secret-extraction/","summary":"A missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism, affecting versions v3.2.0-v3.2.10 and v3.3.0-v3.3.8.","title":"ArgoCD ServerSideDiff Secret Extraction Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-argocd-secret-extraction/"}],"language":"en","title":"CraftedSignal Threat Feed — Secret-Extraction","version":"https://jsonfeed.org/version/1.1"}