CVE-2026-15416

Source
https://cve.org/CVERecord?id=CVE-2026-15416
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15416.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-15416
Aliases
Published
2026-07-14T08:56:29.942Z
Modified
2026-07-16T03:45:25.653461306Z
Severity
  • 8.9 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L CVSS Calculator
Summary
Argo-cd: argo cd unauthenticated remote code execution in repo-server via generatemanifest grpc endpoint
Details

A flaw was identified in Argo CD, the GitOps engine used by Red Hat OpenShift GitOps, that could allow an unauthenticated attacker with network access to the Argo CD repo-server to achieve remote code execution. Under certain conditions, the attacker may then manipulate cached data to deploy malicious Kubernetes resources to managed clusters, potentially resulting in complete cluster compromise.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/15xxx/CVE-2026-15416.json",
    "cwe_ids": [
        "CWE-306"
    ],
    "cna_assigner": "redhat"
}
References

Affected packages

Git / github.com/argoproj/argo-helm

Affected ranges

Type
GIT
Repo
https://github.com/argoproj/argo-helm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "10.0.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15416.json"