← All articles

Unpatched Argo CD flaw lets attackers take over Kubernetes clusters

Researchers at Synacktiv disclosed an unpatched flaw in Argo CD, the popular GitOps tool for deploying to Kubernetes, that can lead to full cluster takeover. The problem is in repo-server, the component that turns Git repository files into Kubernetes manifests: its internal gRPC service requires no authentication, so anyone who can reach it on the cluster network can send a crafted request and run commands. Synacktiv reported it about eighteen months ago, but there is still no fix and no CVE, so it went public to warn users. With no patch, the practical defense is network isolation using Kubernetes network policies.

Check
Check whether Kubernetes network policies restrict access to Argo CD's repo-server and Redis, using kubectl get networkpolicy across namespaces; Helm installs leave these policies off by default, exposing the ports cluster-wide.
Affected
Argo CD deployments where the repo-server's unauthenticated internal service is reachable from the wider cluster network; any workload that can reach it can run commands and take over the cluster.
Fix
Enable Kubernetes network policies so only Argo CD components can reach the repo-server and Redis ports, isolate Argo CD on the cluster network, and watch for an official fix to apply.