Argo CD Repo-server RCE via Unauth Remote Code Execution
CVE-2026-15416 Published on July 14, 2026
Argo-cd: argo cd unauthenticated remote code execution in repo-server via generatemanifest grpc endpoint
A flaw was identified in Argo CD, the GitOps engine used by Red Hat OpenShift GitOps, that could allow an unauthenticated attacker with network access to the Argo CD repo-server to achieve remote code execution. Under certain conditions, the attacker may then manipulate cached data to deploy malicious Kubernetes resources to managed clusters, potentially resulting in complete cluster compromise.
Vulnerability Analysis
Timeline
Reported to Red Hat.
Made public.
Weakness Type
Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Products Associated with CVE-2026-15416
stack.watch emails you whenever new vulnerabilities are published in Red Hat Openshift Data Foundation or Red Hat Openshift Gitops. Just hit a watch button to start following.
Affected Versions
argoproj argo-helm:- Before 10.0.0 is affected.