A very revealing GitOps flaw
The official Argo CD advisory GHSA-786q-9hcg-v9ff, also tracked as CVE-2025-55190 in the GitHub Advisory Database, explains that API tokens with project permissions could retrieve repository credentials through the project details endpoint.
Why this is critical
Argo CD sits at the intersection of deployment, configuration, and repository access. If a supposedly limited token can pull repository usernames and passwords, the impact quickly moves beyond the one GitOps project involved.
What this says about GitOps risk
Granular permission models often create a false sense of safety. A permission that sounds modest, such as project get or application management, can still collapse separation of privilege if it indirectly exposes secrets.
Our view
CVE-2025-55190 is an excellent GitOps security case because the danger does not sit only in the cluster or the repository. It sits in the platform connecting both and handling credentials continuously. Once access control is imperfect there, the whole deployment chain is exposed.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
Go and Grafana: why CVE-2021-43798 is still a useful warning
CVE-2021-43798 showed that a widely deployed Go product could expose local files through path traversal. Here is why this case is still useful in 2026.
Ruby on Rails and CVE-2019-5418: the danger of forgotten details in Action View
CVE-2019-5418 showed how a file disclosure bug in Action View could become serious very quickly. Here is why this case still matters for Rails teams.
Apache Kafka and CVE-2023-25194: why one JAAS setting can become critical
CVE-2023-25194 showed how unsafe use of JndiLoginModule in Kafka Connect could open severe risk. Here is why this flaw still matters.
Sources
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.