Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation — CVE-2026-45738

GitHub · GitHub · CVE-2026-45738

ID
CVE-2026-45738

Date
2026-05-19

Activity
2026-05-19

Source
GitHub

Vendor
GitHub

Threat
high

CVSS
7.3

Summary

### Summary A user with **application write access (developer role)** can set `link.argocd.argoproj.io/*` annotations on any ArgoCD Application. These annotation values are rendered in the Summary tab's **URLs section** as `<a href>` elements without URL validation. Using the pipe-separator trick (`Display Text | javascript:...`), an attacker can inject a `javascript:` URI while displaying a legitimate-looking…

Product

go: github.com/argoproj/argo-cd/v3 | go: github.com/argoproj/argo-cd/v2 | go: github.com/argoproj/argo-cd

What to do

General, cautious steps (verify details in the official source):

Prioritize patching or mitigation immediately (treat as actively risky).
Identify affected product versions in your inventory and verify whether you are impacted.
Apply vendor patches/updates or recommended mitigations as soon as available.
Read the official advisory for exact affected versions and remediation steps.

Official advisory

Related advisories

GitHub GitHub 2026-W21

Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation — CVE-2026-45738

Summary

Product

What to do

Official advisory

Related advisories

ethyca-fides has a DOM-based XSS vulnerability in fides.js via fides_description override

Malicious code in guardrails-ai 0.10.1 (supply chain compromise)

Mobile Verification Toolkit (MVT): Path Traversal via unsanitized File identifiers in iOS Backup processing

OpenMetadata: TEST_CONNECTION workflow leaks ingestion-bot JWT and database password to regular users

samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions

Arbitrary Code Execution via Crafted Keras Config for Model Loading