PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45738 argoproj CVE debrief

Argo CD users with application write access can set link.argocd.argoproj.io/* annotations whose pipe-separated values are rendered by ui/src/app/applications/components/application-summary/application-summary.tsx in the Summary tab URLs section as anchor href values without URL validation, allowing javascript: execution in a higher-privileged user's authenticated Argo CD origin session. This issue is fixed in versions 3.2.12, 3.3.10, and 3.4.2. The vulnerability allows for potential JavaScript execution in an authenticated session, posing a high risk to Argo CD users.

Vendor
argoproj
Product
argo-cd
CVSS
HIGH 7.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-15
Original CVE updated
2026-07-16
Advisory published
2026-07-15
Advisory updated
2026-07-16

Who should care

Users of Argo CD with application write access, administrators of Argo CD instances, security teams monitoring for potential JavaScript execution vulnerabilities, and operators managing Kubernetes environments.

Technical summary

Prior to 3.2.12, 3.3.10, and 3.4.2, Argo CD users with application write access can set link.argocd.argoproj.io/* annotations whose pipe-separated values are rendered by ui/src/app/applications/components/application-summary/application-summary.tsx in the Summary tab URLs section as anchor href values without URL validation, allowing javascript: execution in a higher-privileged user's authenticated Argo CD origin session. This issue is fixed in versions 3.2.12, 3.3.10, and 3.4.2, addressing the improper URL validation vulnerability.

Defensive priority

High priority due to potential for JavaScript execution in an authenticated session and impact on Argo CD users with application write access.

Recommended defensive actions

  • Update Argo CD to version 3.2.12, 3.3.10, or 3.4.2 or later
  • Restrict application write access to trusted users
  • Monitor for suspicious annotation changes
  • Implement additional security measures to prevent JavaScript execution
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-15T20:17:05.057Z and was last modified on 2026-07-16T16:19:08.450Z. The NVD entry is currently Undergoing Analysis. This issue allows javascript: execution in a higher-privileged user's authenticated Argo CD origin session due to improper URL validation of link.argocd.argoproj.io/* annotations. Users should verify their Argo CD instances for exposure and review access controls.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T20:17:05.057Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.