Secret-Extraction — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/secret-extraction/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 07 May 2026 01:56:53 +0000ArgoCD ServerSideDiff Secret Extraction Vulnerabilityhttps://feed.craftedsignal.io/briefs/2024-01-argocd-secret-extraction/Thu, 07 May 2026 01:56:53 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-argocd-secret-extraction/A missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism, affecting versions v3.2.0-v3.2.10 and v3.3.0-v3.3.8.A vulnerability exists in Argo CD’s ServerSideDiff endpoint that allows for the extraction of plaintext Kubernetes Secret data. The vulnerability stems from a missing authorization and data-masking gap in the /application.ApplicationService/ServerSideDiff endpoint. This allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server’s Server-Side Apply dry-run mechanism. The issue affects Argo CD versions v3.2.0 through v3.2.10 and v3.3.0 through v3.3.8. Exploitation is possible by any user with Argo CD application get permissions, potentially exposing sensitive information such as service account tokens, TLS certificates, database credentials, and API keys. The impact is heightened when the IncludeMutationWebhook=true annotation is set on Applications, as this bypasses a defense layer and makes exploitation easier.

Attack Chain

  1. Attacker authenticates to Argo CD with read-only access or leverages existing access.
  2. Attacker identifies an Argo CD Application with the argocd.argoproj.io/compare-options: IncludeMutationWebhook=true annotation.
  3. Attacker identifies Kubernetes Secrets managed by Argo CD within the targeted Application.
  4. Attacker crafts a malicious request to the /application.ApplicationService/ServerSideDiff endpoint, targeting the identified Secret. The request simulates a server-side dry-run apply operation.
  5. The ServerSideDiff function, due to the IncludeMutationWebhook=true setting, skips the removeWebhookMutation() defense, which would normally mask sensitive data.
  6. The Kubernetes API server processes the dry-run request, retrieving the unmasked Secret data from etcd.
  7. The raw, unmasked Secret data is included in the API response to the attacker.
  8. Attacker parses the response, extracts the plaintext Secret data, and uses it for unauthorized access or lateral movement.

Impact

Successful exploitation of this vulnerability allows any user with Argo CD application get permissions to extract real Kubernetes Secret values. This can lead to the exposure of sensitive data, including service account tokens, TLS certificates, database credentials, and API keys. Depending on the permissions associated with the compromised secrets, attackers can gain unauthorized access to other systems, escalate privileges, or perform lateral movement within the Kubernetes cluster. The vulnerability affects Argo CD versions between 3.2.0 and 3.2.11 and between 3.3.0 and 3.3.9.

Recommendation

  • Upgrade Argo CD to version v3.2.11 or v3.3.9 or later to patch CVE-2026-42880.
  • Review Argo CD Applications for the presence of the argocd.argoproj.io/compare-options: IncludeMutationWebhook=true annotation and remove it where not strictly necessary.
  • Deploy the Sigma rule Detect ArgoCD ServerSideDiff Secret Extraction Attempt to detect suspicious requests to the /application.ApplicationService/ServerSideDiff endpoint.
  • Monitor Argo CD logs for unusual activity related to the ServerSideDiff function.
]]>criticaladvisoryargocdsecret-extractionkubernetescredential-access