CVE-2025-55190

High PUBLISHED

Argo CD: Project API Token Exposes Repository Credentials

argoproj · argo-cd

Not yet in CISA KEV

Exploited in the wild PoC available

Recommended Action

Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.

Confidence
High
Exploitation Status
Exploited in the wild
Observed in Sensors
No
Attempts (30d)
Unique Attacker IPs
CISA KEV
Not yet in CISA KEV
CVSS / EPSS
10.0 Critical

At a Glance

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.

nuclei_scanner
CVE Published
Sep 04, 2025
Exploitation Reported
Jan 02, 2026
CVSS
10.0 Critical
EPSS
Remote Low complexity No user interaction

Affected Versions

Vendor Product Version Status
argoproj
argo-cd

>= 2.13.0, < 2.13.9

Affected
argoproj
argo-cd

>= 2.14.0, < 2.14.16

Affected
argoproj
argo-cd

>= 3.0.0, < 3.0.14

Affected
argoproj
argo-cd

>= 3.1.0-rc1, < 3.1.2

Affected

CVE References

Recommended Actions

  • Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
  • Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.