ergo cdKubernetes, a widely used tool for deploying software, has an unpatched flaw in its repo-server component that lets an unauthenticated attacker run code provided they can access the component’s internal network port.
Synactiv, which found the bug, says it could lead to full cluster takeover. There is no fix and no CVE. The firm says it reported the defect to Argo CD’s maintainers in January 2025; Almost eighteen months later, it is still unreleased, so it published details to warn users.
The bug sits in the repo-server, the Argo CD component that reads Git repositories and creates Kubernetes manifests, files that define what the cluster deploys.
There is no authentication of its internal gRPC service; Anyone who can access it can send a crafted request to run a command. Synacktiv performed an attack against Argo CD v2.13.3 and reported no patches released; It did not publish a full list of affected versions.
technology is misused customizeA standard tool runs to convert the Argo CD repository files into manifests. Customize has a –helm-command option that points to the Helm binary it should call.
Synacktiv found that an unauthenticated request to the repo server’s GenerateManifest service could set that option in a script that is extracted from an attacker-controlled Git repository. When customize runs, it executes the script instead of Helm.
But “intrinsic” doesn’t mean isolated by default. The Argo CD ships with Kubernetes network policies that isolate the repo-server from everything except its components.
Synactiv found Helm Chart, a common way to install Argo CD, turns off those policies by default, setting networkpolicy.create to false. In that setup, an attacker who compromises a single pod in the cluster can access the repo-server and trigger the bug.
Running the code on the repo-server is not the end of it. Synacktiv used that access to read the cluster’s Redis password from environment variables, connect to Argo CD’s Redis cache, and poison stored deployment data. On the next automatic sync, Argo CD deployed an attacker-provided workload.
That move revives CVE-2024-31989, a 2024 flaw Cycode found where Argo CD’s Redis had no passwords, allowing any pod deployment in the cluster to poison the cache. Argo CD fixed this by adding the Redis password, but the cache is still not signed, so stealing the password back triggers the same attack.
What to do
There is no patch version, so the rescue is network isolation. Turn on Kubernetes network policies so that only Argo CD’s own components can access the repo-server and Redis port. Argo CD provides policy files; Helm users must enable them as Chart turns them off.
Check who is active with: Kubectl gets networkpolicy -a. A healthy install shows one network policy per component, including the repo-server and Redis. If those policies are missing, the repo-server and the redis port are accessible from the rest of the cluster.
Synactiv created a tool, Argo-Seedown, that automates the entire attack. It is putting the tool on hold for now to give defenders time to lock down their network policies, and said it will publish it on GitHub later so administrators can test their own deployments.
This is not Argo CD’s first display of its own internal display. In September 2025, it patched CVE-2025-55190, where an API token with only basic read access could pull back a project’s Git repository credentials, a flaw that Hacker News flagged at the time.
In May 2026, another bug, CVE-2026-42880, allowed read-only users to read plaintext Kubernetes secrets. This pattern is hard to miss: Argo CD centralizes cluster access and repository secrets, and its internal surfaces keep handing them out as unauthenticated requests in one bug and as low-privilege tokens in the next.
Until a patch ships, the only real defense is to treat the cluster network as hostile.