CVE-2026-43824 - Argo CD ServerSideDiff secret disclosure

rg -n "argocd|argo-cd|quay\\.io/argoproj/argocd|argo-cd/argo-cd|argo-cd-chart|serverSideDiff|ServerSideDiff" .
rg -n "IncludeMutationWebhook=true|argocd\\.argoproj\\.io/compare-options|applications.*get|role:readonly|policy\\.default" .
helm list -A | grep -Ei 'argocd|argo-cd'
kubectl -n argocd get deploy,statefulset,pod -o yaml | grep -Ei 'argocd.*3\\.(2|3)\\.|image:.*argocd'
kubectl get applications.argoproj.io -A -o yaml | grep -B4 -A4 'IncludeMutationWebhook=true'
kubectl -n argocd get cm,argocd-rbac-cm -o yaml | grep -Ei 'policy\\.default|applications, get|role:readonly'

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-43824 (Argo CD ServerSideDiff cleartext
Kubernetes Secret disclosure). Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Argo CD, removes or
  contains vulnerable ServerSideDiff exposure, adds verification, and documents
  operator cleanup, or
- TRIAGE.md if this repository does not own an affected Argo CD deployment or
  cannot make a safe patch.

## Rules

- Scope only CVE-2026-43824 and directly related Argo CD ServerSideDiff
  containment.
- Treat Kubernetes Secret values, service account tokens, TLS keys, image pull
  credentials, model/provider API keys, SSO tokens, Argo CD session tokens, and
  diff response bodies as secrets.
- Do not call ServerSideDiff against production or shared clusters to extract
  or display Secret values.
- Do not print, decode, snapshot, commit, or attach real Secret data while
  proving exposure or remediation.
- Do not preserve broad read-only access by relying only on documentation.
- Do not auto-merge.

## Steps

1. Inventory Argo CD ownership in this repository:
   - Helm charts, `Chart.yaml`, `Chart.lock`, values files, and release pins;
   - Kustomize overlays, raw Kubernetes manifests, Jsonnet, Terraform,
     Crossplane, Ansible, Flux, Argo CD app-of-apps, and bootstrap scripts;
   - Docker image tags or digests for `argoproj/argocd`;
   - SSO/RBAC config, `argocd-rbac-cm`, AppProject roles, gateway rules,
     ingress manifests, SBOMs, and runbooks.
2. If the repository does not deploy or configure Argo CD, stop with
   `TRIAGE.md` naming the files checked, the runtime owner if known, and the
   required fixed versions `3.2.11+` or `3.3.9+`.
3. Determine every resolved Argo CD server/controller/repo-server version. A
   target is vulnerable if it resolves to:
   - `>=3.2.0, <3.2.11`;
   - `>=3.3.0, <3.3.9`.
4. Search all controlled Application, ApplicationSet, AppProject, Helm values,
   Kustomize overlays, generated manifests, and runtime configuration for:
   - `argocd.argoproj.io/compare-options`;
   - `IncludeMutationWebhook=true`;
   - ServerSideDiff enablement or gateway routes;
   - RBAC granting `applications, get` to read-only, tenant, support,
     automation, agent, or broad SSO groups.
5. Upgrade vulnerable Argo CD deployments to `3.2.11+` or `3.3.9+` using the
   repository's normal delivery mechanism. Regenerate locks, image digests,
   rendered manifests, SBOMs, policy bundles, and deployment evidence.
6. Remove `IncludeMutationWebhook=true` wherever it is not strictly required.
   If it must remain for a workload, document the owner, justification, and
   confirmation that the fixed Argo CD version is deployed before the
   annotation is allowed.
7. Add temporary containment for any non-atomic rollout:
   - restrict ServerSideDiff API/gRPC-web access to trusted operators;
   - reduce broad `applications, get` access for low-privilege roles;
   - add an ingress, gateway, service-mesh, or operational deny rule if this
     repository controls one;
   - document a freeze on adding `IncludeMutationWebhook=true` until patch
     rollout completes.
8. Add safe verification:
   - dependency/render checks proving Argo CD resolves to a fixed version;
   - policy tests or static checks that flag vulnerable Argo CD versions with
     `IncludeMutationWebhook=true`;
   - RBAC checks proving broad read-only roles cannot access more Applications
     than intended;
   - a non-secret fixture test that confirms Secret values stay redacted in
     diff-like outputs. Do not use production Secret values.
9. Add a PR body section named `CVE-2026-43824 operator actions` that states:
   - Argo CD versions before and after the change;
   - whether `IncludeMutationWebhook=true` was present and where;
   - which user groups or automation accounts had application get access;
   - whether ServerSideDiff was reachable through UI, CLI, API, or gateway
     paths;
   - which Kubernetes Secrets, namespaces, projects, or clusters require
     rotation because exposure was possible;
   - which Argo CD audit logs, ingress logs, and API logs should be reviewed
     for ServerSideDiff calls during the vulnerable window.
10. Run the relevant validation: Helm dependency update, Kustomize build,
    Terraform plan, manifest rendering, policy tests, RBAC tests, image build,
    SBOM refresh, secret-scan checks, and deployment diff checks available in
    this repository.
11. Use PR title:
    `fix(sec): remediate CVE-2026-43824 in Argo CD ServerSideDiff`.

## Stop conditions

- No Argo CD deployment, configuration, or bootstrap path is controlled by this
  repository.
- All controlled Argo CD targets already resolve to `3.2.11+` or `3.3.9+` and
  no vulnerable generated deployment artifact remains.
- Required version upgrades are blocked by an operator-owned platform release
  train outside this repository.
- Verifying exposure would require extracting, decoding, printing, or storing
  real Kubernetes Secret values.
- Product requirements intentionally grant broad read-only Argo CD visibility
  to tenants, agents, or support users; document the risk and require a
  product/security decision.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.