Argo CD's Default Config Lets an Insider Hijack Your Whole Kubernetes Cluster β CVE-2026-15416, Update the Chart to v10.0.0
A flaw in Argo CD lets an attacker with a foothold inside the network take over the entire server platform it manages. CVE-2026-15416, rated 8.9 out of 10. Used by roughly half of all GitOps shops, it needs the distribution chart updated to v10.0.0, or the traffic-restriction setting turned on.
Table of contents
A flaw in Argo CD lets an attacker with a foothold inside the network take over the entire server platform it manages. CVE-2026-15416, rated 8.9 out of 10. Used by roughly half of all GitOps shops, it needs the distribution chart updated to v10.0.0, or the traffic-restriction setting turned on.
On July 14, 2026, Argo CD β the tool that automatically ships and updates applications across servers β was assigned CVE-2026-15416 for a dangerous default setting. Its severity is rated 8.9 out of 10. The target is not a server exposed to the open internet, but an attacker who has already gained a foothold inside the internal network. From there, they could take over the entire server platform (Kubernetes cluster) that Argo CD manages.
It started with research published by the French security firm Synacktiv. The company found a hole inside Argo CD that lets someone run commands without authentication, and showed that if left alone it reaches all the way to a full cluster takeover. This CVE covers the fix that closes off that path by making the default state of the distribution package (the Helm chart) secure. The fix is to update the distribution chart "argo-helm" to v10.0.0 or later, or to turn on the traffic-restriction setting yourself.
What happened
Here are the key facts up front. This CVE is not "a bug in Argo CD's own code" β it is a configuration flaw where a dangerous default was shipped as-is. The classification is "missing authentication" (CWE-306), meaning a doorway that should have been guarded by a password or similar was left wide open.
| Item | Detail |
|---|---|
| CVE | CVE-2026-15416 |
| Severity | 8.9 / 10.0 (High) AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L |
| Type | Missing authentication (CWE-306) traffic restriction off by default |
| Affected | Argo CD distribution Helm chart "argo-helm" before 10.0.0 |
| Precondition | Needs a foothold inside the cluster network; not directly from outside |
| Worst case | Full takeover of the server platform Argo CD manages |
| Fix | argo-helm 10.0.0 (traffic restriction on by default) |
| Workaround | Set global.networkPolicy.create to true |
| Exploitation | None reported so far (automation tool held back) |
The severity string includes "AV:A." That means the attack requires reaching an adjacent, internal network β it cannot be triggered by just anyone straight from the internet. This is the part that shapes how urgent it feels. But as we'll see, it holds up even if "just one machine inside the cluster is compromised," so "it's internal, therefore safe" does not apply. It is not currently on the U.S. CISA list of vulnerabilities confirmed to be exploited in the wild (KEV), and there are no reports of real-world abuse yet.
Who targets this, and what do they try to do
A severity number alone makes it hard to tell whether this concerns you, so let's sketch the attacker first. The one to watch here is an intruder who has gotten one step inside your cluster somehow and now wants to spread sideways into greater privilege. A phished account, another hijacked app, a single machine leaked by a misconfiguration β the entry point doesn't matter. What they hunt for is a component they can touch from the inside without any key.
That component is the "repo-server," the part of Argo CD that does the actual shipping work. What the intruder does here is slip a trick into the shipping process so that, instead of the tool that was supposed to be called, their own program runs. No need to steal a password or brute-force anything. This part was built on the assumption that "requests from the inside can be trusted," so it never asks for the identity of whoever stands inside it.
What's lost once that program runs is not limited to that one server. Argo CD holds broad power to push applications to many servers. Using it as a stepping stone, the intruder rewrites what gets shipped, re-delivers malicious apps to each server, and ultimately seizes the entire platform Argo CD orchestrates. For end users that means services tampered with or stopped; for the operating company it means the production environment itself is taken over. That is exactly why experts keep saying this one corner deserves special protection.
What Argo CD actually does
Argo CD runs on top of Kubernetes (the foundation that runs large numbers of servers and apps together) and keeps applications shipped and updated automatically. When a developer writes "I want it in this state" into Git (the repository that stores the blueprint), Argo CD reads it and automatically nudges the real servers toward exactly that state. This approach of "treat what's written in Git as the source of truth and apply it automatically" is called GitOps.
Argo CD dominates this space. In Octopus Deploy's 2025 survey cited by Cloud Native Now, roughly half of companies practicing GitOps use Argo CD β about 4.5 times the runner-up, Flux. An earlier user survey found over 90% of respondents running it in production. From finance to web services, it sits at the center of companies' production platforms.
By the nature of its job, Argo CD holds a lot of power. As researcher Devashri Datta notes in CSO Online's analysis, Argo CD holds "read access to private repositories, sync/write access to target clusters, and custody of deployment secrets" all at once. Grab this one spot, and everything downstream is within reach. That concentration is why experts urge treating Argo CD as "tier zero" β the most critical of the critical.
How the attack works: handing the "shipping worker" a different order
According to Synacktiv's technical writeup, the key players are Argo CD's internal "repo-server" and the config-assembly tool it calls, kustomize. The repo-server reads blueprints from Git and assembles them into a deployable form β the worker on the floor. That worker has an internal intake for outside instructions called GenerateManifest.
The problem is that this intake did not verify identity. A request arriving from the internal network is simply accepted and processed. Synacktiv showed the intake was alive with a simple check:
curl -kis -H 'Content-Type: application/grpc' \
https://argo-cd.local:8081/repository.RepoServerService/GenerateManifest
HTTP/2 405The "405" that came back means "the intake exists, but it doesn't accept that way of asking (GET)." Read the other way around: ask in the correct format, and processing proceeds without any lock.
Here's the heart of it. Kustomize has a setting called --helm-command that lets you specify "when you call Helm (another shipping tool), use the program at this location." Synacktiv mixed that setting into a request sent to the identity-less intake and succeeded in running a script the attacker prepared, in place of Helm. Since the attacker freely chooses the Git the blueprint is pulled from, bundling a malicious script means it runs as-is.
kustomize build <path inside attacker's Git> \
--enable-helm --helm-command ./exfil.shTo find the hole, Synacktiv security researcher Hugo Vincent and colleagues added custom rules to the code-analysis tool CodeQL. Instead of manually tracing Argo CD's roughly 230,000 lines of code, they automatically surfaced "paths where an outside value flows into a command-execution component," mechanically finding more than 20 risky paths.
Why taking over one machine spreads to the "whole platform"
Running a program on the repo-server is dangerous enough, but Synacktiv showed the path beyond it, to a full platform takeover. The key is Redis, the fast scratchpad (cache) where Argo CD temporarily stores its results.
The attacker first pulls the password to enter Redis from an environment variable through the program they ran, then connects to that scratchpad. Next, they quietly swap "what should be shipped to each server next," stored in the scratchpad, for malicious content. Because Argo CD periodically compares "the current state" against "the desired state" and auto-corrects any drift, the poisoned content gets shipped to each server as a legitimate update. Deliver a privileged rogue app, and from there it reaches control of the whole platform.
Official docs describe Redis as a "throw-away cache that can be lost." As storage it's treated lightly, but as long as its contents drive shipping decisions, rewriting them does real harm. Synacktiv also built a tool, "argo-cdown," to automate the whole attack, but says it is holding back release for now to give defenders time to lock down their settings.
From discovery to disclosure
This issue took a long time β eighteen months from report to disclosure. Synacktiv reported it to the maintainers in January 2025, but despite repeated follow-ups the fix on the core side did not progress, and the details became public in July 2026.
β Swipe to move
One thing to keep straight: the CVE number was assigned to the chart's dangerous default, not to a fix in the repo-server code itself. The maintainers take the position that "repo-server is an internal-network-only component, designed on the assumption that it is never touched directly from outside." So the linchpin of defense is network isolation, and this chart fix closes the abuse path by applying that isolation automatically in the default state.
Is your environment affected?
Whether you're affected depends on how you installed Argo CD and whether you've turned on traffic restriction (network policy) yourself. The case to watch is installing via the official distribution chart, "argo-helm." Per the vendor advisory (GHSA-47m3-95c7-g2g8), this chart left traffic restriction off by default for a long time. Use the table below to check your situation.
| Install / config state | Risk | What to do |
|---|---|---|
| argo-helm before 10.0.0 traffic restriction unset | High | Update chart to 10.0.0+ or enable traffic restriction |
| argo-helm 10.0.0+ default settings | Low | Re-confirm restriction is on (not overridden by custom values) |
| Old chart but you set traffic restriction yourself | Medium | Review the scope of the rules update core and chart too |
| Installed via Red Hat OpenShift GitOps | Check | Follow Red Hat's guidance for updates and settings |
Red Hat has also published this CVE for its commercial edition, OpenShift GitOps. If you run Argo CD on OpenShift, be sure to check the status of Red Hat's recommended updates and errata. Note that environments where you have properly applied traffic restriction, or that follow the official upstream (argo-cd) recommended settings, keep the repo-server unreachable from outside in the first place β so this abuse path is hard to pull off.
What to do right now
The remedy isn't hard. Work through it in order and you close the entry point for abuse.
First, update the distribution chart to argo-helm 10.0.0 or later. From this version, traffic restriction (global.networkPolicy.create) is on by default, so repo-server and Redis are automatically protected to be reachable only from Argo CD's own components. There's one pitfall here: even after updating the chart, if you override this value in your own settings file (values), the helpful new default gets cancelled out. The advisory itself urges you to "verify that global.networkPolicy.create is true, matching the new default."
If you can't upgrade the chart immediately, simply setting the same value to true by hand also works around it. Alongside that, as the official security guidance shows, restrict traffic to repo-server and Redis to Argo CD's components only, so other apps in the cluster can't reach them. When IDC's Sakshi Grover says in CSO Online to "evaluate which workloads can communicate with the Argo CD control plane, and assess attack paths rather than just perimeter exposure," this internal isolation is exactly what's meant.
Finally, narrow down who β people and apps β has permission to touch Argo CD. Taking inventory of operational accounts, disabling unneeded tokens, and enforcing least privilege are the plain, effective defenses that keep attackers from building a foothold on the inside.
Experts warn: the shipping platform is a top-tier asset
The point made over and over in this case is that "a shipping platform like Argo CD should be guarded as a top-tier asset, on par with identity systems." Seize it, and it's not a single app that's poisoned but every app it ships.
Synacktiv security expert Hugo Vincent explains why Argo CD is an appealing target: "To function effectively and deploy resources in Kubernetes clusters, Argo CD requires significant privileges within the cluster. Additionally, it has access to private Git repositories, making it an attractive target for attackers." The convenience you gain by concentrating power is matched by the scale of the damage when that spot is broken.
Again, this hole is not the kind "anyone can trigger directly from outside" β it presumes a foothold on the inside. But since one compromised machine can reach the whole, the mindset of "just harden the perimeter and you're safe" won't hold. Sealing off, one by one, the paths an attacker uses to move sideways on the inside is what defense will center on going forward.
Summary
CVE-2026-15416 is a case where a weak default in Argo CD β the "shipping clerk" for server fleets β lets an attacker who has gotten inside take over the entire deployment platform. The technical core lies in the repo-server's no-identity intake and the abuse of kustomize, but what this CVE addresses is the default traffic restriction that closes off that abuse path.
What to do is clear. Update argo-helm to 10.0.0 or later and confirm with your own eyes that traffic restriction is truly in effect. If you can't update right away, enable traffic restriction by hand. And narrow permissions to touch Argo CD to the minimum. No real-world attacks have been reported yet, and abuse requires a foothold on the inside β but with Argo CD at the heart of production platforms, this is not something to put off. GitOps shipping infrastructure is a "top-tier asset" and should be first in line for hardening.
FAQ
Q. How do I check whether my Argo CD is affected?
First, check the version of the "argo-helm" distribution chart. Before 10.0.0 is a concern. Next, check whether traffic restriction (global.networkPolicy.create) is enabled. If it's true and traffic to repo-server and Redis is limited to Argo CD's own components, this abuse path is hard to pull off. If you're on an old chart with restriction unset, treat it as a priority.
Q. Am I safe if it's not exposed to the internet?
Since it can't be hit directly from outside, it's safer than exposing it. But this attack holds up if just one app or account inside the cluster is compromised. The deciding factor is whether you restrict not only "the perimeter" but "app-to-app traffic on the inside." Without internal isolation, risk remains even when it's private.
Q. Is it already being attacked? Should I rush?
There are no reports of real-world attacks so far, and the severity rating factors in the need for a foothold on the inside. The automation tool's release is being held back, too. But since Argo CD sits at the heart of production platforms, the damage if breached is large. No need to panic, but confirm traffic restriction and update the chart deliberately β and sooner rather than later.
Sources
- βΈ NVD - CVE-2026-15416
- βΈ Synacktiv - Caught in the Octopus Trap: Unauthenticated RCE in Argo CD with CodeQL (July 1, 2026)
- βΈ argo-helm Security Advisory - GHSA-47m3-95c7-g2g8
- βΈ Red Hat - CVE-2026-15416 (OpenShift GitOps)
- βΈ The Hacker News - Unpatched Argo CD Repo-Server Flaw Could Let Attackers Take Over Kubernetes Clusters
- βΈ CSO Online - Argo CD flaw shows why GitOps infrastructure should be treated as tier zero
- βΈ Cloud Native Now - Security Flaw in Argo CD Can Let Attackers Take Over Kubernetes Clusters
- βΈ Argo CD Official - Security Considerations

Makoto Horikawa
Backend Engineer / AWS / Django