A critical, unpatched vulnerability in Argo CD's repo-server component allows unauthenticated attackers to run arbitrary code, provided they can reach the component's internal network port. The flaw was discovered by security firm Synacktiv, which reported it to Argo CD's maintainers.
Synacktiv warns the bug could enable a full Kubernetes cluster takeover. No CVE identifier has been assigned yet, and no official fix is available at this time.
The attack vector relies on the attacker gaining network access to the repo-server's internal port. Once exploited, the flaw could lead to cluster-wide compromise, though specific technical indicators of compromise have not been publicly detailed.
Until a patch is released, organizations are advised to restrict network access to the repo-server component and monitor for unusual activity on that interface. The timeline for an official fix remains unclear.
The vulnerability highlights ongoing risks in the Kubernetes ecosystem, where supply-chain and configuration tools remain high-value targets. No attribution has been made beyond Synacktiv's discovery.