🔴 Critical | Source: The Hacker News
A security researcher at Synacktiv has uncovered an unpatched vulnerability in Argo CD’s repo-server component that allows an unauthenticated attacker to execute arbitrary code if they can reach the component’s internal network port. The flaw carries no CVE assignment yet and has no available fix. Successful exploitation could result in a full Kubernetes cluster takeover, making this a significant risk for any organisation using Argo CD in their GitOps pipeline.
Security Architect’s Take: Immediately restrict network access to the Argo CD repo-server port using network policies or firewall rules so it is only reachable by authorised internal components — this is the primary mitigation until an official patch is released. Audit your cluster’s network segmentation and ensure the repo-server is not inadvertently exposed within a broad internal network segment or to external traffic.
Original advisory: Unpatched Argo CD Repo-Server Flaw Could Let Attackers Take Over Kubernetes Clusters