Back to KEVs

CVE-2025-55190

Argo CD: Project API Token Exposes Repository Credentials

Basic Information

CVE State
PUBLISHED
Reserved Date
August 08, 2025
Published Date
September 04, 2025
Last Updated
September 05, 2025
Vendor
argoproj
Product
argo-cd
Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.
Tags
nuclei_scanner

CVSS Scores

CVSS v3.1

10.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

SSVC Information

Exploitation
none
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2026-01-02 00:00:00 UTC) Source

References

https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff https://github.com/argoproj/argo-cd/commit/e8f86101f5378662ae6151ce5c3a76e9141900e8

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2026-01-02 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-55190.yaml 2026-06-01 15:34:42 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel

  • Detected by Nuclei