An Argo CD vulnerability allows API tokens with even low project-level get permissions to access API endpoints and retrieve all repository credentials associated with the project.
The flaw, tracked under CVE-2025-55190, is rated with the maximum severity score of 10.0 in CVSS v3, and allows bypassing isolation mechanisms used to protect sensitive credential information.
Attackers holding those credentials could then use them to clone private codebases, inject malicious manifests, attempt downstream compromise, or pivot to other resources where the same credentials are reused.
Argo CD is a Kubernetes-native continuous deployment (CD) and GitOps tool used by numerous organizations, including large enterprises such as Adobe, Google, IBM, Intuit, Red Hat, Capital One, and BlackRock, which use it for handling large-scale, mission-critical deployments.
The newly discovered vulnerability impacts all versions of Argo CD up to 2.13.0.
“Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, pass…