Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Exposure Of Sensitive Information in Argo CD, Patch Immediately!
Image
Published : 09/09/2025
- Last update: 08/09/2025
- Affected software: Argo CD
→ 2.13.0 through 2.13.8,
→ 2.14.0 through 2.14.15,
→ 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1- Type: Exposure of Sensitive Information to an Unauthorized Actor
- CVE/CVSS
→ CVE-2025-55190: CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Sources
Argo CD Advisory - https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff
Risks
A newly discovered flaw in Argo CD allows API tokens with project-level or project-get permissions to retrieve sensitive repository credentials, including usernames and passwords, through the project details API endpoint, even without explicit access to secrets.
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes, used to automate application deployment and manage repositories across clusters.
If exploited this could lead to data breaches, system compromise, operational downtime, and supply chain attacks impacting confidentiality, integrity, and availability of critical businesses.
Description
A critical security vulnerability has been identified in Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. This flaw arises from improper access control in the project details API endpoint. API tokens with project-level or project-get permissions can retrieve sensitive repository credentials, including usernames and passwords, even when the token only has standard application management permissions and no explicit access to secrets.
In affected versions (2.13.0–2.13.8, 2.14.0–2.14.15, 3.0.0–3.0.12, and 3.1.0-rc1–3.1.1), an attacker with such API tokens could exploit this vulnerability to exfiltrate repository credentials, potentially compromising applications and CI/CD pipelines. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14, and 3.1.2. Organizations are strongly advised to update immediately to mitigate risk.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
Argo CD Project fix - https://github.com/argoproj/argo-cd/commit/e8f86101f5378662ae6151ce5c3a76e9141900e8