Critical Argo CD vulnerability exposes repository credentials through API token exploitation
Take action: If you're using Argo CD, consider this an urgent advisory, since your secrets can be extracted by anyone with a token (regardless of permissions). Upgrade to the latest patched version (v3.1.2, v3.0.14, v2.14.16, or v2.13.9) to fix CVE-2025-55190. Isolation and reducing of tokens may help, but you still must partch. Quickly.
Learn More
A critical security vulnerability has been discovered in Argo CD, a GitOps continuous delivery tool for Kubernetes that allows API tokens with basic project-level permissions to retrieve sensitive repository credentials including usernames and passwords.
The flaw is tracked as CVE-2025-55190 (CVSS score 10) and is caused from improper access control enforcement within the Project API's detailed endpoint /api/v1/projects/{project}/detailed. It allows authenticated users with limited project permissions to access repository secrets that should require explicit authorization. Even general-purpose tokens designed for routine operations can be exploited to harvest sensitive credentials.
The vulnerability impacts versions
- 2.13.0 through 2.13.8,
- 2.14.0 through 2.14.15,
- 3.0.0 through 3.0.12,
- 3.1.0-rc1 through 3.1.1.
Organizations should immediately upgrade to one of the following patched versions: v3.1.2, v3.0.14, v2.14.16, or v2.13.9.
Organizations that can't upgrade should implement additional security measures like restricting API token permissions, implementing network-level access controls, and monitoring for unusual API access patterns. These measures don't remove the heed to patch the system.
