- An unpatched flaw in Argo CD‘s repo-server component allows for unauthenticated remote code execution and potential full Kubernetes cluster takeover.
- Disclosed by Synacktiv after 18 months with no fix, the vulnerability can be exploited by any attacker with network access to the internal service port.
- The default Helm chart installation leaves critical network policies disabled, allowing a compromised pod to escalate to a complete cluster compromise.
- Defenders must immediately enable provided Kubernetes network policies for isolation, as no official software patch currently exists.
A critical, unpatched security flaw in the popular Argo CD Kubernetes deployment tool was detailed on July 01, 2026, exposing clusters to complete takeover. According to a report from Synacktiv, the vulnerability allows unauthenticated attackers to execute code on the internal repo-server component. This can lead directly to a full cluster compromise.
The bug resides in the repo-server’s internal gRPC service, which lacks authentication entirely. Consequently, a crafted request can abuse the kustomize tool’s --helm-command option to run attacker-controlled scripts. However, the attack requires network access to the vulnerable component’s port.
Meanwhile, the default configuration in Argo CD’s Helm chart leaves network policies disabled. This setup lets any compromised pod in the cluster reach the repo-server and trigger the exploit. Attackers can then steal the Redis password and poison the deployment cache.
This method revives a previous attack vector similar to CVE-2024-31989, where cache poisoning forces the deployment of malicious workloads. The firm stated it is holding back its argo-cdown attack tool to give defenders time to act.
Synacktiv recommends enabling the network policies shipped with Argo CD. Administrators must verify these policies are active, as no patched software version is available. This incident follows other recent vulnerabilities like CVE-2026-42880 that also leaked sensitive data.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
