The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-22424

CVE-2024-22424: Argoproj Argo CD CSRF Vulnerability

CVE-2024-22424 is a cross-site request forgery vulnerability in Argoproj Argo CD that allows attackers to execute unauthorized API calls. This article covers the technical details, affected versions, and mitigation steps.

Updated: January 22, 2026

CVE-2024-22424 Overview

CVE-2024-22424 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Argo CD, a declarative GitOps continuous delivery tool for Kubernetes. The vulnerability exists in the Argo CD API and allows attackers who have the ability to write HTML to a page on the same parent domain as Argo CD to perform unauthorized actions on behalf of authenticated users. By exploiting the lack of proper content-type validation, attackers can bypass browser CORS protections and trick users into executing malicious API calls.

Critical Impact

This vulnerability enables attackers to perform unauthorized actions through the Argo CD API, potentially allowing them to create applications running malicious code within Kubernetes environments when exploited against authenticated users.

Affected Products

  • Argo CD versions prior to 2.10-rc2
  • Argo CD versions prior to 2.9.4
  • Argo CD versions prior to 2.8.8
  • Argo CD versions prior to 2.7.15

Discovery Timeline

  • 2024-01-19 - CVE-2024-22424 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-22424

Vulnerability Analysis

This Cross-Site Request Forgery vulnerability stems from inadequate content-type validation in the Argo CD API. The attack chain involves multiple browser security mechanisms and how they interact with Argo CD's cookie policies.

Argo CD implements the "Lax" SameSite cookie policy to mitigate CSRF attacks from external domains. While this prevents attackers controlling external websites from accessing the Argo CD auth token, it does not protect against attacks originating from subdomains of the same parent domain. Many organizations deploy Argo CD on internal subdomains (e.g., argocd.internal.example.com), creating an attack surface when other subdomains on the same parent domain are compromised.

Browsers typically provide additional protection through CORS policies, which require a preflight request for POST requests with sensitive content types like application/json. However, the vulnerable Argo CD versions failed to validate the Content-Type header on incoming requests, allowing attackers to specify non-sensitive content types such as text/plain to bypass the preflight check entirely while still sending JSON payloads that Argo CD would process.

Root Cause

The root cause of CVE-2024-22424 is the missing validation of the Content-Type header in the Argo CD API. The API accepted and processed JSON request bodies regardless of the Content-Type header specified in the request. This oversight allowed attackers to circumvent browser-enforced CORS protections by setting the Content-Type to a "simple" content type (like text/plain) that doesn't trigger preflight requests, while still sending JSON data that the server would parse and execute.

Attack Vector

The attack requires an attacker to place malicious HTML/JavaScript code on a subdomain sharing the same parent domain as the Argo CD installation. When an authenticated Argo CD user visits the attacker-controlled page:

  1. The malicious page makes a POST request to the Argo CD API with Content-Type set to text/plain
  2. The browser does not send a preflight request because text/plain is considered a "simple" content type
  3. The browser includes the Argo CD authentication cookie because the request targets a parent domain (allowed by "Lax" SameSite policy)
  4. The Argo CD API accepts the request despite the incorrect Content-Type and processes the JSON payload
  5. The attacker's intended action (such as creating a malicious application) is executed with the victim's privileges

The attack could allow an adversary to create applications that deploy malicious containers, modify existing application configurations, or perform other administrative actions depending on the victim's permissions.

Detection Methods for CVE-2024-22424

Indicators of Compromise

  • Unusual API requests to Argo CD endpoints with non-standard Content-Type headers such as text/plain containing JSON payloads
  • Application creation or modification events that don't correlate with expected user activity or CI/CD pipeline operations
  • Argo CD audit logs showing administrative actions originating from unexpected referrer domains or during unusual timeframes

Detection Strategies

  • Enable and monitor Argo CD audit logging for all API requests, paying attention to the Content-Type headers and request origins
  • Implement network monitoring to detect cross-origin requests to Argo CD API endpoints from internal subdomains
  • Review Argo CD application deployments for unauthorized or unexpected application definitions
  • Configure SIEM rules to alert on API requests with mismatched Content-Type headers and JSON bodies

Monitoring Recommendations

  • Deploy web application firewall (WAF) rules to inspect and log requests with suspicious Content-Type and body combinations
  • Establish baseline patterns for normal Argo CD API usage and alert on deviations, particularly around application creation
  • Monitor authentication logs for sessions that perform actions inconsistent with the user's typical behavior
  • Implement real-time alerting for any new application deployments that weren't initiated through approved pipelines

How to Mitigate CVE-2024-22424

Immediate Actions Required

  • Upgrade Argo CD to patched versions: 2.10-rc2, 2.9.4, 2.8.8, or 2.7.15 or later immediately
  • Review Argo CD audit logs for any suspicious API activity that may indicate prior exploitation
  • Audit all currently deployed applications for unauthorized or unexpected deployments
  • Implement network segmentation to limit which internal systems can access Argo CD
  • Consider implementing additional authentication factors or session validation for sensitive operations

Patch Information

Security patches are available in Argo CD versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15. The patch introduces a breaking API change where the Argo CD API will no longer accept non-GET requests that do not specify application/json as their Content-Type header. The accepted content types list is configurable, though disabling the content type check entirely is discouraged. For detailed patch information, refer to the GitHub Pull Request and the GitHub Security Advisory GHSA-92mw-q256-5vwg.

Workarounds

  • There are no known workarounds for this vulnerability; upgrading to a patched version is the only mitigation
  • As a defense-in-depth measure, restrict network access to Argo CD to trusted sources only while planning the upgrade
  • Implement strict Content Security Policy (CSP) headers on all internal web applications to reduce the risk of malicious script execution
  • Educate users about the risks of clicking links from untrusted sources while Argo CD sessions are active
bash
# Upgrade Argo CD to patched version using kubectl
kubectl -n argocd set image deployment/argocd-server argocd-server=quay.io/argoproj/argocd:v2.9.4

# Verify the upgrade was successful
kubectl -n argocd get deployment argocd-server -o jsonpath='{.spec.template.spec.containers[0].image}'

# Check Argo CD version
argocd version --client

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeCSRF
  • Vendor/TechArgo Cd
  • SeverityHIGH
  • CVSS Score8.3
  • EPSS Probability0.06%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityHigh
  • AvailabilityHigh
  • CWE References
  • CWE-352
  • Technical References
  • GitHub Issue for Argo CD
  • Vendor Resources
  • GitHub Pull Request for Argo CD
  • GitHub Security Advisory GHSA-92mw-q256-5vwg
  • Related CVEs
  • CVE-2025-55190: Argo CD Information Disclosure Flaw
  • CVE-2025-47933: Argo CD XSS Vulnerability
  • CVE-2024-31989: Argo CD Privilege Escalation Vulnerability
  • CVE-2024-37152: Argo CD Auth Bypass Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English