Unauthenticated RCE in Argo CD Threatens Kubernetes Clusters, No Patch Available
A critical, unpatched vulnerability in **Argo CD**'s repo-server component allows unauthenticated attackers to execute arbitrary code, potentially leading to full Kubernetes cluster takeover. Discovered by **Synacktiv**, the flaw remains unfixed 18 months after initial disclosure, leaving many deployments exposed if network policies are not properly configured.
A significant security flaw in **Argo CD**, a popular GitOps continuous delivery tool for **Kubernetes**, has been publicly disclosed. The vulnerability, found in the tool's repo-server component, enables unauthenticated remote code execution (RCE) for attackers who can reach its internal network port.
Cybersecurity firm **Synacktiv** identified the bug and reported it to **Argo CD** maintainers in January 2025. Despite the severity, which **Synacktiv** states could lead to a full cluster takeover, no patch or **CVE** identifier has been issued, prompting the firm to release details as a warning to users.

### The Vulnerability Explained
The flaw resides within the repo-server, the **Argo CD** component responsible for reading Git repositories and generating **Kubernetes** manifests. Its internal gRPC service, lacking authentication, can be exploited by sending a specially crafted request to execute commands.
**Synacktiv** successfully demonstrated the attack against **Argo CD v2.13.3**, noting that no patched release is available. While a comprehensive list of affected versions was not published, the issue likely impacts a broad range of deployments.
### Abusing Kustomize and Helm
The attack leverages **kustomize**, a standard tool **Argo CD** uses to transform repository files into manifests. **Kustomize** includes a `--helm-command` option, which points to the **Helm** binary it should invoke. **Synacktiv** discovered that an unauthenticated request to the repo-server's `GenerateManifest` service can set this option to an attacker-controlled script, pulled from an external Git repository. When **kustomize** executes, it runs the malicious script instead of **Helm**.
### The Network Policy Gap
While **Argo CD** typically ships with **Kubernetes** network policies designed to isolate the repo-server, **Synacktiv** found that these policies are often disabled by default when **Argo CD** is installed via its **Helm** chart (specifically, `networkPolicy.create` is set to `false`). This configuration allows an attacker who has compromised any single pod within the cluster to reach the repo-server and trigger the RCE vulnerability.
### Escalating to Cluster Takeover
Gaining code execution on the repo-server is just the first step. **Synacktiv** demonstrated how this access could be used to extract the cluster's **Redis** password from an environment variable. With the **Redis** password, attackers can connect to **Argo CD**'s **Redis** cache and poison stored deployment data. During the next automatic synchronization, **Argo CD** then deploys an attacker-supplied workload.

This final step effectively revives aspects of **CVE-2024-31989**, a 2024 flaw where an unprotected **Redis** instance allowed cache poisoning. While **Argo CD** addressed that by adding a **Redis** password, stealing this password re-enables the same attack vector, as the cache itself is not cryptographically signed.
### Immediate Defensive Actions
Since no patch is currently available, network isolation is the primary defense. Organizations must ensure that **Kubernetes** network policies are enabled and properly configured to restrict access to the repo-server and **Redis** ports, allowing communication only from **Argo CD**'s own components.
Users of the **Argo CD Helm** chart must explicitly enable these policies, as they are disabled by default. Administrators can verify their active network policies using `kubectl get networkpolicy -A`. A secure installation should show specific network policies for each component, including the repo-server and **Redis**.
**Synacktiv** has developed an automation tool, `argo-cdown`, for the full attack chain. It is being withheld for now to allow defenders time to implement network policy changes, with plans for a public GitHub release later to help administrators test their deployments.
### A Recurring Pattern
This is not the first instance of **Argo CD** exposing its internal components or secrets. In September 2025, **CVE-2025-55190** was patched, allowing API tokens with basic read access to exfiltrate Git repository credentials. In May 2026, **CVE-2026-42880** permitted read-only users to access plaintext **Kubernetes** secrets. The pattern is concerning: **Argo CD** centralizes critical cluster access and repository secrets, and its internal interfaces have repeatedly shown weaknesses in protecting them, whether to unauthenticated requests or low-privilege tokens.
Until a patch is released, treating the **Kubernetes** cluster network as a hostile environment is the only viable defense strategy for **Argo CD** users.