HomeCVE Intelligence › CVE-2026-45738
CVSS 7.3 HIGH Vulnerability

CVE-2026-45738: Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege…

Summary A user with application write access (developer role) can set link.argocd.argoproj.io/annotations on any ArgoCD Application. These annotation values are rendered in the Summary tab's URLs section as elements wit…

7.3CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-45738
Vendorgo
Affected Productgithub.com/argoproj/argo-cd/v3
Vulnerability TypeVulnerability
CVSS Score7.3 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Summary A user with application write access (developer role) can set link.argocd.argoproj.io/* annotations on any ArgoCD Application. These annotation values are rendered in the Summary tab's URLs section as elements without URL validation. Using the pipe-separator trick (Display Text | javascript:...), an attacker can inject a javascript: URI while displaying a legitimate-looking label (e.g. GitHub Repo). When a higher-privileged user (admin) clicks the link, arbitrary JavaScript executes in the ArgoCD origin context in the admin's authenticated session context, enabling API exfiltration and privilege escalation from developer to admin.

Details Vulnerable sink: ui/src/app/applications/components/application-summary/application-summary.tsx:277 ```tsx

🎯 Known Indicators of Compromise

{"type":"domain","value":"link.argocd.argoproj.io","confidence_score":0.75,"first_seen":"2026-05-19","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-45738 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence