Critical Argo CD API Flaw (CVE-2025-55190) Leaks Repository Credentials

Tue, 26 May 2026 00:00:00 +0000

🚨 CRITICAL — Security fix. Upgrade immediately.

Version: 3.1.2, 3.0.14, 2.14.16, 2.13.9 | Released: 2026-05-26 | Upgrade from: Multiple affected versions (see details)

Release at a Glance

A critical security vulnerability, CVE-2025-55190, has been identified and patched in Argo CD. This flaw allows project-level API tokens to expose sensitive repository credentials, posing a significant risk to CI/CD pipelines.

Here’s what you need to know immediately:

Critical Vulnerability: Project-level API tokens in affected Argo CD versions can retrieve repository usernames and passwords, even without explicit secret access permissions.
Immediate Action Required: All users running affected Argo CD versions must upgrade immediately to a patched version.
Impact: This vulnerability can lead to unauthorized access to your source code repositories, enabling supply chain attacks and compromising your infrastructure.
Fixed Versions: Upgrade to Argo CD 3.1.2, 3.0.14, 2.14.16, or 2.13.9 to remediate this issue.

Security Fixes: CVE-2025-55190

Today, we are releasing urgent patches for Argo CD to address a critical security vulnerability, CVE-2025-55190, titled “Project API Token Exposes Repository Credentials.” This flaw was discovered by Ashish Goyal and impacts the confidentiality of your repository access.

Argo Cd on AI VOID

Critical Argo CD API Flaw (CVE-2025-55190) Leaks Repository Credentials

Release at a Glance

Security Fixes: CVE-2025-55190