PatchSiren cyber security CVE debrief
CVE-2026-45738 argoproj CVE debrief
Argo CD users with application write access can set link.argocd.argoproj.io/* annotations whose pipe-separated values are rendered by ui/src/app/applications/components/application-summary/application-summary.tsx in the Summary tab URLs section as anchor href values without URL validation, allowing javascript: execution in a higher-privileged user's authenticated Argo CD origin session. This issue is fixed in versions 3.2.12, 3.3.10, and 3.4.2. The vulnerability allows for potential JavaScript execution in an authenticated session, posing a high risk to Argo CD users.
- Vendor
- argoproj
- Product
- argo-cd
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-15
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-15
- Advisory updated
- 2026-07-16
Who should care
Users of Argo CD with application write access, administrators of Argo CD instances, security teams monitoring for potential JavaScript execution vulnerabilities, and operators managing Kubernetes environments.
Technical summary
Prior to 3.2.12, 3.3.10, and 3.4.2, Argo CD users with application write access can set link.argocd.argoproj.io/* annotations whose pipe-separated values are rendered by ui/src/app/applications/components/application-summary/application-summary.tsx in the Summary tab URLs section as anchor href values without URL validation, allowing javascript: execution in a higher-privileged user's authenticated Argo CD origin session. This issue is fixed in versions 3.2.12, 3.3.10, and 3.4.2, addressing the improper URL validation vulnerability.
Defensive priority
High priority due to potential for JavaScript execution in an authenticated session and impact on Argo CD users with application write access.
Recommended defensive actions
- Update Argo CD to version 3.2.12, 3.3.10, or 3.4.2 or later
- Restrict application write access to trusted users
- Monitor for suspicious annotation changes
- Implement additional security measures to prevent JavaScript execution
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-15T20:17:05.057Z and was last modified on 2026-07-16T16:19:08.450Z. The NVD entry is currently Undergoing Analysis. This issue allows javascript: execution in a higher-privileged user's authenticated Argo CD origin session due to improper URL validation of link.argocd.argoproj.io/* annotations. Users should verify their Argo CD instances for exposure and review access controls.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T20:17:05.057Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.