Critical Argo CD API Vulnerability Exposes Sensitive Repository Credentials

A critical vulnerability has been identified in Argo CD, enabling API tokens with limited permissions to access sensitive repository credentials. This flaw, located in the Project API’s details endpoint (/api/v1/projects/project/detailed), exposes usernames and passwords, thereby undermining the platform’s security model by allowing access to secrets without the necessary explicit permissions. API tokens with standard project-level permissions, such as those for managing applications, can retrieve all repository credentials associated with a project. The expected behaviour is that requests for sensitive information would require elevated permissions; however, the actual behaviour permits tokens with basic access to obtain this data.

The implications of this vulnerability extend beyond project-specific roles, as any token with project get permissions is deemed vulnerable, including those with broader global permissions. This significantly increases the potential attack surface, allowing more general-purpose tokens to exploit the flaw. An attacker possessing a valid API token can easily make an authenticated call to the detailed project API endpoint, resulting in a JSON response that incorrectly includes plaintext username and password credentials for the associated repositories. The consequences are severe, potentially leading to source code theft and malicious code injection into the CI/CD pipeline. The Argo CD development team has released patches, and administrators are strongly advised to upgrade to secure versions v3.1.2, v3.0.14, v2.14.16, or v2.13.9 to mitigate risks and ensure proper enforcement of permission checks. 

Categories: Vulnerability Disclosure, API Security, Credential Exposure 

Tags: Argo CD, Vulnerability, API Tokens, Repository Credentials, Authorization Check, Project API, Exploitation, Security Model, Patches, Source Code Theft