Argo CD versions 3.2.0 through before 3.2.11 and 3.3.0 through before 3.3.9 contain a vulnerability (CVE-2026-43824) where the ServerSideDiff functionality exposes cleartext Kubernetes Secret data. This is due to improper handling of sensitive information (CWE-212), allowing potentially privileged users to read secret data that should be protected. The vulnerability has a CVSS 3.1 base score of 7.7, indicating high severity with network attack vector, low attack complexity, required privileges, no user interaction, and a significant confidentiality impact. No official patch or remediation level has been confirmed from the vendor at this time.

The vulnerability allows reading of cleartext Kubernetes Secret data via the ServerSideDiff feature in affected Argo CD versions. This compromises the confidentiality of sensitive information stored in Kubernetes Secrets. There is no reported impact on integrity or availability. No known exploits have been observed in the wild so far.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid using the ServerSideDiff feature with sensitive Kubernetes Secrets or restrict access to trusted users with minimal privileges. Monitor vendor communications for updates on patches or official mitigations.