# Critical Flaw in Argo CD Repo-Server Exposes Kubernetes Clusters to Unauthenticated Attacks

*Published July 3, 2026*
*Source: [https://thehackernews.com/2026/07/unpatched-argo-cd-repo-server-flaw.html](https://thehackernews.com/2026/07/unpatched-argo-cd-repo-server-flaw.html)*

## Executive Summary

A significant flaw in Argo CD's repo-server allows unauthenticated code execution, risking full control over Kubernetes clusters. Since no patch is available, network isolation is crucial to mitigate this threat.

## Article

Argo CD, a popular tool for deploying software to Kubernetes clusters, is currently facing a serious security threat due to an unpatched vulnerability in its repo-server component. This flaw allows an unauthenticated attacker to execute arbitrary code if they can access the component's internal network port. The cybersecurity firm Synacktiv uncovered this issue and has warned that it could lead to a complete takeover of Kubernetes clusters.

The vulnerability lies within the repo-server's internal gRPC service, which lacks authentication. This means that any attacker who can reach this service can send a specially crafted request to execute a command. This problem is further exacerbated by the Helm chart used to install Argo CD, which by default does not enable network policies that should isolate the repo-server from unauthorized access.

Exploiting this flaw, Synacktiv demonstrated that an attacker could manipulate the kustomize tool, which is standard in Argo CD, to run a script from an attacker-controlled Git repository instead of the intended helm binary. This execution allows the attacker to gain further access, such as reading the cluster's Redis password and poisoning the deployment cache. This vulnerability echoes a previous issue, CVE-2024-31989, where Argo CD's Redis instance had no password protection.

Currently, there is no patch available for this flaw, and no CVE has been assigned. As a temporary measure, users are advised to implement stringent network isolation. This involves activating Kubernetes network policies to ensure only Argo CD's components can access the repo-server and Redis ports. Network policies can be verified using the 'kubectl get networkpolicy -A' command. Synacktiv has developed a tool named argo-cdown to automate attacks, although it is withholding its release to allow time for defenses to be bolstered.

This incident is not isolated. In the past, Argo CD has addressed similar vulnerabilities that exposed its internal components to unauthorized access. Until a patch is developed, treating the Kubernetes cluster network as potentially hostile remains the best defense.
