Argo CD Repo-server RCE via Unauth Remote Code Execution
CVE-2026-15416 Published on July 14, 2026

Argo-cd: argo cd unauthenticated remote code execution in repo-server via generatemanifest grpc endpoint
A flaw was identified in Argo CD, the GitOps engine used by Red Hat OpenShift GitOps, that could allow an unauthenticated attacker with network access to the Argo CD repo-server to achieve remote code execution. Under certain conditions, the attacker may then manipulate cached data to deploy malicious Kubernetes resources to managed clusters, potentially resulting in complete cluster compromise.

NVD

Vulnerability Analysis

Attack Vector:
ADJACENT_NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
LOW

Timeline

Reported to Red Hat.

Made public.

Weakness Type

Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.


Products Associated with CVE-2026-15416

stack.watch emails you whenever new vulnerabilities are published in Red Hat Openshift Data Foundation or Red Hat Openshift Gitops. Just hit a watch button to start following.

 
 

Affected Versions

argoproj argo-helm: Red Hat Openshift Data Foundation 4: Red Hat OpenShift GitOps: Red Hat OpenShift GitOps: Red Hat OpenShift GitOps: Red Hat OpenShift GitOps: Red Hat OpenShift GitOps: Red Hat OpenShift GitOps: Red Hat OpenShift GitOps: Red Hat OpenShift GitOps: Red Hat OpenShift GitOps: Red Hat OpenShift GitOps: Red Hat OpenShift GitOps: