Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.

INFO

Published Date :

2025-09-04T22:37:52.811Z

Last Modified :

2025-09-05T16:07:25.315Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-55190 vulnerability.

Vendors Products
Argoproj
  • Argo-cd
Redhat
  • Openshift Gitops
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-55190.

URL Resource
https://github.com/argoproj/argo-cd/commit/e8f86101f5378662ae6151ce5c3a76e9141900e8 cve-icon cve-icon
https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact