A critical vulnerability in Argo CD, tracked as CVE-2025-55190, has been discovered that allows users with low-privileged API tokens to access sensitive Git repository credentials. The flaw affects all Argo CD versions up to 2.13.0 and has been assigned a CVSS v3 severity score of 10.0, the highest possible rating.
The vulnerability stems from the project details API endpoint, which unintentionally permits API tokens with basic get permissions to retrieve repository usernames and passwords. These credentials could be exploited by attackers to clone private codebases, inject malicious manifests, compromise downstream environments, or pivot into other systems that reuse the same credentials.
Argo CD, a Kubernetes-native GitOps tool, is widely used by major enterprises including Google, Adobe, IBM, Intuit, Capital One, Red Hat, and BlackRock to manage large-scale production deployments. The flaw’s impact is particularly severe because of the tool’s deep integration with mission-critical infrastructure and sensitive code repositories.
According to the security bulletin published on the Argo Project’s GitHub, even standard application management permissions—with no explicit access to secrets—are enough to exploit this issue. This affects not only project-scoped tokens but also global roles with general project read permissions, such as projects, get, *.
While the vulnerability does require a valid API token, its accessibility to low-privileged users significantly widens the threat surface. The Argo team warns that the ease with which credentials can be extracted could enable attackers to conduct supply chain attacks or extortion schemes.
The flaw was discovered by Ashish Goyal and has been patched in Argo CD versions 3.1.2, 3.0.14, 2.14.16, and 2.13.9. Organizations running affected versions are strongly urged to upgrade immediately to avoid exposure and conduct audits of token scopes and permissions across their environments.
With GitOps becoming central to modern DevOps practices, this vulnerability is a stark reminder that token-based access controls must be rigorously enforced. In environments where automation is key, even the smallest misstep in access management can unravel an organization’s entire security posture.
