Login Sign Up

CVE-2021-26923

7.5 HIGH
Authentication Bypass

📋 TL;DR

CVE-2021-26923 is an information disclosure vulnerability in Argo CD where the /api/version endpoint leaks internal system information without requiring authentication. This affects all Argo CD deployments before version 1.8.4. Attackers can access sensitive internal data that could aid further attacks.

💻 Affected Systems

Products:
  • Argo CD
Versions: All versions before 1.8.4
Operating Systems: All platforms running Argo CD
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable if the API endpoint is accessible.

📦 What is this software?

Argo Cd by Argoproj

View all CVEs affecting Argo Cd →

Argo Cd by Argoproj

View all CVEs affecting Argo Cd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain detailed internal system information that could enable targeted attacks, privilege escalation, or lateral movement within the environment.

🟠

Likely Case

Unauthenticated attackers gather internal system details that reveal deployment architecture, versions, and potentially sensitive configuration information.

🟢

If Mitigated

With proper network segmentation and authentication controls, impact is limited to information disclosure only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP GET request to /api/version endpoint without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.4 and later

Vendor Advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-pfgj-mh5m-2p48

Restart Required: Yes

Instructions:

1. Backup your Argo CD configuration. 2. Update to Argo CD version 1.8.4 or later. 3. Restart Argo CD services. 4. Verify the fix by testing the /api/version endpoint.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to Argo CD API endpoints using network firewalls or security groups.

Reverse Proxy Authentication

all

Place Argo CD behind a reverse proxy that requires authentication before reaching the API.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Argo CD from untrusted networks
  • Deploy a web application firewall (WAF) to block unauthorized access to /api/version endpoint

🔍 How to Verify

Check if Vulnerable:

Send HTTP GET request to https://[argo-cd-server]/api/version without authentication. If it returns internal system information, the system is vulnerable.

Check Version:

argocd version --client

Verify Fix Applied:

After patching, attempt the same request. It should return 401 Unauthorized or be properly protected.

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated requests to /api/version endpoint
  • Multiple failed authentication attempts followed by /api/version access

Network Indicators:

  • Unusual traffic patterns to /api/version from external IPs
  • HTTP GET requests to /api/version without authentication headers

SIEM Query:

source="argo-cd" AND (uri_path="/api/version" AND NOT auth_success="true")

📊 Metadata

CVE ID: CVE-2021-26923
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-200
Published: March 15, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26923, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)