Argo CD, a broadly used software for deploying software program to Kubernetes, has an unpatched flaw in its repo-server element that lets an unauthenticated attacker run code, offered they will attain the element’s inner community port.
Synacktiv, which discovered the bug, says it might result in a full cluster takeover. There isn’t a repair and no CVE. The agency says it reported the flaw to Argo CD’s maintainers in January 2025; roughly eighteen months later, it stays unpatched, so it printed the small print to warn customers.
The bug sits in repo-server, the Argo CD element that reads Git repositories and builds Kubernetes manifests, the recordsdata that outline what the cluster deploys.
Its inner gRPC service has no authentication; anybody who can attain it might ship a crafted request to run a command. Synacktiv demonstrated the assault in opposition to Argo CD v2.13.3 and stories no patched launch; it didn’t publish a full listing of affected variations.
The method abuses kustomize, a typical software Argo CD runs to show repository recordsdata into manifests. Kustomize has a –helm-command choice that factors to the helm binary it ought to name.
Synacktiv discovered that an unauthenticated request to the repo-server’s GenerateManifest service can set that choice to a script as an alternative, pulled from an attacker-controlled Git repository. When kustomize runs, it executes the script relatively than helm.
However “inner” doesn’t imply remoted by default. Argo CD ships Kubernetes community insurance policies that wall the repo-server off from all the things besides its personal elements.
Synacktiv discovered the Helm chart, a typical approach to set up Argo CD, leaves these insurance policies off by default, with networkPolicy.create set to false. In that setup, an attacker who compromises a single pod within the cluster can attain the repo-server and set off the bug.
Working code on the repo-server will not be the top of it. Synacktiv used that entry to learn the cluster’s Redis password from an atmosphere variable, hook up with Argo CD’s Redis cache, and poison the saved deployment knowledge. On the following computerized sync, Argo CD deployed an attacker-supplied workload.
That step revives CVE-2024-31989, a 2024 flaw Cycode discovered the place Argo CD’s Redis had no password, letting any pod within the cluster poison the deployment cache. Argo CD mounted that by including a Redis password, however the cache itself remains to be not signed, so stealing the password again reopens the identical assault.
What to do
There isn’t a patched model, so the protection is community isolation. Activate Kubernetes community insurance policies so solely Argo CD’s personal elements can attain the repo-server and Redis ports. Argo CD gives the coverage recordsdata; Helm customers should allow them as a result of the chart leaves them off.
Verify what’s lively with: kubectl get networkpolicy -A. A wholesome set up reveals one community coverage per element, together with the repo-server and Redis. If these insurance policies are lacking, the repo-server and Redis ports are reachable from the remainder of the cluster.
Synacktiv constructed a software, argo-cdown, that automates the complete assault. It’s holding the software again for now to offer defenders time to lock down their community insurance policies, and says it’s going to publish it on GitHub later so directors can check their very own deployments.
This isn’t Argo CD’s first publicity of its personal internals. In September 2025, it patched CVE-2025-55190, the place an API token with solely fundamental learn entry may pull again a challenge’s Git repository credentials, a flaw that The Hacker Information flagged on the time.
In Might 2026, one other bug, CVE-2026-42880, allowed read-only customers to learn plaintext Kubernetes secrets and techniques. The sample is tough to overlook: Argo CD concentrates cluster entry and repository secrets and techniques, and its inner surfaces hold handing them out, to an unauthenticated request in a single bug and a low-privilege token within the subsequent.
Till a patch ships, treating the cluster community as hostile is the one actual protection.


