Back to blog
Argo CDGitOpsCVE

Argo CD and CVE-2025-55190: when a project token can expose credentials

Published on 2026-04-116 min readCleanIssue

> TL;DR: CVE-2025-55190 showed that Argo CD project-scoped tokens could retrieve repository credentials. Here is why this case is critical.

A very revealing GitOps flaw

The official Argo CD advisory GHSA-786q-9hcg-v9ff, also tracked as CVE-2025-55190 in the GitHub Advisory Database, explains that API tokens with project permissions could retrieve repository credentials through the project details endpoint.

Why this is critical

Argo CD sits at the intersection of deployment, configuration, and repository access. If a supposedly limited token can pull repository usernames and passwords, the impact quickly moves beyond the one GitOps project involved.

What this says about GitOps risk

Granular permission models often create a false sense of safety. A permission that sounds modest, such as project get or application management, can still collapse separation of privilege if it indirectly exposes secrets.

Our view

CVE-2025-55190 is an excellent GitOps security case because the danger does not sit only in the cluster or the repository. It sits in the platform connecting both and handling credentials continuously. Once access control is imperfect there, the whole deployment chain is exposed.

Key Takeaways

  • Identify and test your exposed attack surfaces before a third party does.
  • Client-side security controls never replace server-side validation.
  • Regular audits are more effective than one-time checks — vulnerabilities appear with every deployment.
  • Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit