cvedb.io
CVE-2023-22736
HIGH · CVSS 8.5
EPSS exploitation probability: 0%
Published 2023-01-26T21:18:13.110 · Last modified 2026-06-17T05:36:03.973

Summary

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces. Reconciled Application namespaces are specified as a comma-delimited list of glob patterns. When sharding is enabled on the Application controller, it does not enforce that list of patterns when reconciling Applications. For example, if Application namespaces are configured to be argocd-*, the Application controller may reconcile an Application installed in a namespace called other, even though it does not start with argocd-. Reconciliation of the out-of-bounds Application is only trigger

Affected products

argoproj — argo_cd

Does this affect you?

Add your gear to cvedb and we'll alert you only when argoproj ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.