Unpatched Argo CD Repo-Server Flaw Could Let Attackers Take Over Kubernetes Clusters

Argo CDa widely used tool for deploying software to Kubernetes, has an unpatched flaw in its repo-server component that allows an unauthorized attacker to execute code, as long as they have access to the component’s internal network port.
Synacktiv, which discovered the bug, says it could lead to full cluster takeovers. No fixes and no CVE. The company says it reported the bug to Argo CD maintainers in January 2025; almost eighteen months later, it remains out of print, so it published information to warn users.
The bug sits on the repo server, the Argo CD component that reads Git repositories and creates Kubernetes manifests, files that describe what the cluster uses.
Its internal gRPC service has no authentication; anyone who has access to it can send a considered request to execute the command. Synacktiv has demonstrated an attack on Argo CD v2.13.3 and reports that no release has been patched; did not publish a full list of affected versions.
Methods of abuse to stomizea common tool Argo CD runs to convert cache files into manifests. Kustomize has an option –helm-command that points to the helm number to call.
Synacktiv discovered that an unauthorized request to the repo-server’s GenerateManifest service could set that option to a script instead, extracted from an attacker-controlled Git repository. When kustomize runs, it uses a script rather than helm.
But “internal” does not automatically mean classification. Argo CD deploys Kubernetes network policies that cover the repo-server from everything except its components.
Synacktiv found the Helm chart, the standard Argo CD installation method, leaves those policies disabled by default, with networkPolicy.create set to false. In that setup, an attacker who compromises one pod in the cluster can access the repo-server and trigger the bug.
Running the code on the repo server is not the end of it. Synacktiv used that access to read the cluster’s Redis password from an environment variable, connect to Argo CD’s Redis cache, and poison the stored deployment data. In the next automatic sync, Argo CD released the function provided by the attacker.

That move fixes CVE-2024-31989, a 2024 bug Cycode found when Argo CD’s Redis didn’t have a password, allowing any pod in the cluster to be vulnerable to the deployment cache. Argo CD fixed that by adding a Redis password, but the cache itself is still unsigned, so stealing the password back opens the same attack.
What to do
There is no attached version, so to prevent network isolation. Open the Kubernetes network policies so that only Argo CD components can access the repo-server and Redis ports. Argo CD provides policy files; Helm users should empower themselves because the chart leaves them disabled.
Check what works with: kubectl get networkpolicy -A. A healthy installation shows one network policy for each component, including the repo-server and Redis. If those policies don’t exist, the repo-server and Redis ports are accessible from the rest of the cluster.
Synacktiv has built a tool, argo-cdown, that automates full-scale attacks. It’s holding the tool for now to give defenders time to tweak their network policies, and says it will publish it on GitHub later so administrators can test their deployments.
This isn’t Argo CD’s first reveal of its innards. In September 2025, it patched CVE-2025-55190, where an API token with basic read access could reverse the credentials of a Git project repository, a bug that Hacker News flagged at the time.
In May 2026, another bug, CVE-2026-42880, allowed read-only users to read plaintext Kubernetes secrets. The pattern is hard to miss: Argo CD encrypts cluster access and cache secrets, and its internal environment keeps giving them away, to an unauthorized request in one bug and a low-privilege token in the next.
Until the patch ships, treating the cluster network as hostile is the only real defense.



