Argo-cd: argo cd unauthenticated remote code execution in repo-server via generatemanifest grpc endpoint
Summary
A flaw was identified in Argo CD, the GitOps engine used by Red Hat OpenShift GitOps, that could allow an unauthenticated attacker with network access to the Argo CD repo-server to achieve remote code execution. Under certain conditions, the attacker may then manipulate cached data to deploy malicious Kubernetes resources to managed clusters, potentially resulting in complete cluster compromise. Under certain conditions, an unauthenticated attacker with network access to the repo-server gRPC interface could execute arbitrary code and, as part of a multi-stage attack involving the Argo CD Redis cache, potentially compromise Kubernetes clusters managed by Argo CD. Red Hat OpenShift GitOps versions 1.20 and 1.21 are not affected by this vulnerability. As a result, the unauthenticated gRPC call path required for exploitation is not reachable from other pods in the cluster, and the attack chain cannot be initiated. Red Hat severity: Important — CVSS 8.9 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L). Weakness: CWE-306: Missing Authentication for Critical Function. Affected products named by the advisory: Red Hat Openshift Data Foundation 4.
Mitigation checklist
- Limit network access to the Argo CD repo-server gRPC endpoint to trusted internal components using Kubernetes NetworkPolicy or equivalent network access controls. Do not expose the repo-server outside the cluster or to untrusted networks. Restrict access to the associated Redis service and update to a fixed version once one becomes available.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.