The vulnerability exploits the project details API endpoint (/api/v1/projects/{project}/detailed) where API tokens with standard application management permissions can retrieve repository credentials without requiring explicit access to secrets.
The vulnerability, designated as GHSA-786q-9hcg-v9ff, was disclosed by security researcher Michael Crenshaw and affects all Argo CD versions from 2.2.0-rc1 onwards.
This represents a significant privilege escalation issue, as tokens intended for routine application operations gain unauthorized access to sensitive authentication data.
The flaw affects not only project-level permissions but also extends to any token with project get permissions, including global permissions such as p, role/user, projects, get, *, allow.
This broad scope significantly amplifies the potential impact across enterprise Argo CD deployments where multiple teams and automated systems rely on scoped API tokens for GitOps operations.
The vulnerability manifests when API tokens with seemingly benign permissions like application synchronization and retrieval, can access the detailed project endpoint.
A typical exploitation scenario involves a token configured with basic project permissions executing a simple HTTP GET request to the vulnerable endpoint, which then returns a JSON response containing plaintext repository credentials.
The security researcher demonstrated the vulnerability using a token with standard permissions, including applications, sync, applications, action, and applications, get.
When this token queries the project details API, the response inappropriately includes a repositories array containing sensitive credential information such as usernames, passwords, repository types, and associated project names.
This represents a fundamental breakdown in the principle of least privilege, where authentication tokens gain access to data far beyond their intended scope.
In enterprise environments where Argo CD manages hundreds of applications across multiple repositories, this vulnerability could expose critical infrastructure credentials to unauthorized parties.
| CVE ID | CVE-2025-55190 |
| Title | Argo CD Project API Token Exposes Repository Credentials |
| Severity | Critical (9.8/10) |
Organizations using Argo CD should immediately upgrade to the patched versions and audit their API token permissions.
The vulnerability underscores the importance of implementing proper access controls and regular security assessments in GitOps infrastructure, particularly as these systems often serve as central orchestration points for entire application deployment pipelines.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
The post Critical Argo CD API Flaw Exposes Repository Credentials appeared first on Cyber Security News.
NEW YORK (AP) — Two Bucks County men who brought explosives to a far-right protest outside New…
ROCKFORD, Ill. (WTVO) — The Auburn Street reconstruction project, repairing water main, bumpy roads, and…
Since the earliest cave paintings, human beings have used art to recreate the world around…
Here's a rare chance to pick up a massive, current generation, higher-end OLED TV at…
Apple recently unveiled its newest budget smartphone - the Apple iPhone 17e - on March…
A convincing fake website posing as the popular Mac utility CleanMyMac is actively pushing dangerous…
This website uses cookies.