Organizations using Argo CD to automate application deployments on Kubernetes are being urged to review their network configurations after security researchers disclosed an unpatched vulnerability that could allow attackers to execute arbitrary code on the platform's repo-server component and ultimately seize control of an entire Kubernetes cluster.
The vulnerability was identified by French cybersecurity firm Synacktiv, which says the issue affects the repo-server, a core Argo CD service responsible for retrieving application source code from Git repositories and converting it into Kubernetes manifests before workloads are deployed. Because the repo-server sits at the center of the GitOps deployment process, compromising it gives an attacker an opportunity to interfere with how applications are delivered throughout the cluster.
According to the researchers, exploitation does not require authentication. An attacker only needs network access to the repo-server's internal gRPC service, which accepts requests from other Argo CD components but does not verify the identity of the caller. Once that communication channel becomes reachable, a specially crafted request can be used to trigger remote code execution on the vulnerable service.
Synacktiv reported the vulnerability to the Argo CD maintainers in January 2025 through a responsible disclosure process. However, roughly eighteen months later, the issue remains unresolved, with no official security patch or CVE identifier assigned. The researchers chose to disclose their findings publicly to give administrators time to strengthen their deployments while awaiting a permanent fix.
At the center of the attack is Argo CD's repo-server, which continuously retrieves application definitions stored in Git repositories and prepares them for deployment by generating Kubernetes manifests. These manifests describe the desired state of applications, including containers, services, networking, storage, and other deployment configurations that Kubernetes uses to build and manage workloads. Since every deployment passes through this component, gaining control of the repo-server can provide attackers with extensive influence over the software being deployed inside a cluster.
The vulnerability stems from an unauthenticated internal gRPC interface exposed by the repo-server. gRPC is a high-performance communication framework commonly used for communication between services inside distributed applications. In Argo CD's design, the interface is intended for trusted internal communication. However, Synacktiv found that the service performs no authentication checks, allowing any system capable of reaching the port to submit requests that the repo-server will process.
The researchers demonstrated the attack against Argo CD version 2.13.3. They noted that no patched release currently exists and did not publish a complete list of affected versions, leaving administrators without a definitive inventory of vulnerable deployments.
To achieve code execution, the attack abuses Kustomize, a Kubernetes configuration management tool that Argo CD relies on to generate deployment manifests. Kustomize can also invoke Helm, another widely used package manager for Kubernetes, through the "--helm-command" option that specifies which executable should be launched.
Instead of directing Kustomize to the legitimate Helm binary, Synacktiv discovered that an attacker can send a malicious GenerateManifest request instructing it to execute a script stored inside an attacker-controlled Git repository. When Kustomize begins processing the deployment, it unknowingly launches the attacker's script in place of Helm, providing arbitrary code execution within the repo-server environment.
Although the vulnerable interface is intended to remain internal, the researchers warn that internal services should not automatically be considered secure. Kubernetes clusters frequently host dozens or even hundreds of interconnected workloads, and a compromise affecting a single pod can become the starting point for lateral movement if internal communication is not properly restricted.
Argo CD includes Kubernetes NetworkPolicy resources designed to limit access to sensitive services such as the repo-server and Redis. However, Synacktiv found that these protections are disabled by default when Argo CD is deployed using its Helm chart because the "networkPolicy.create" option is set to "false". As a result, installations that rely on the default configuration may unintentionally leave the repo-server reachable from other workloads running inside the cluster.
In such environments, compromising a single pod may be enough for an attacker to contact the repo-server and exploit the vulnerability.
The researchers also demonstrated that remote code execution represents only the beginning of the attack chain. After obtaining execution on the repo-server, they extracted the Redis password stored in an environment variable, authenticated to Argo CD's Redis instance, and modified cached deployment information. When Argo CD later performed its routine synchronization with the Git repository, the poisoned cache caused the platform to deploy an attacker-controlled workload instead of the intended application.
According to Synacktiv, this technique effectively revives a previously addressed weakness tracked as CVE-2024-31989. That earlier vulnerability, discovered by Cycode, exposed Argo CD deployments where Redis lacked password protection, allowing any pod inside the cluster to manipulate deployment cache data. Although Argo CD later introduced Redis password protection to address that issue, the cache contents themselves remain unsigned. By stealing the Redis credentials through the newly disclosed repo-server vulnerability, attackers can once again tamper with deployment data and recreate a similar compromise path.
With no software update currently available, researchers recommend treating network segmentation as the primary line of defense. Administrators should enable Kubernetes NetworkPolicy rules to ensure that only legitimate Argo CD components can communicate with the repo-server and Redis services. Organizations deploying Argo CD through Helm should verify that these policies have been explicitly enabled rather than relying on the chart's default configuration.
Administrators can inspect active network policies by running:
"kubectl get networkpolicy -A"
A properly secured deployment should display dedicated network policies protecting each Argo CD component, including both the repo-server and Redis. Missing policies may indicate that sensitive internal services remain accessible to other workloads inside the cluster.
To help organizations evaluate their exposure, Synacktiv developed a proof-of-concept tool named argo-cdown, capable of automating the complete attack chain. The researchers have postponed its public release to provide defenders with additional time to secure vulnerable environments. The tool is expected to be published on GitHub later, allowing administrators to validate the effectiveness of their own security controls.
The newly disclosed vulnerability is the latest in a series of security issues affecting Argo CD's privileged position within Kubernetes environments. In September 2025, the project patched CVE-2025-55190 after researchers found that an API token with only basic read permissions could retrieve Git repository credentials associated with a project. Several months later, in May 2026, another flaw tracked as CVE-2026-42880 enabled read-only users to access plaintext Kubernetes secrets.
Taken together, these incidents point to a recurring challenge rather than isolated implementation flaws. Argo CD occupies one of the most privileged positions within Kubernetes deployments, maintaining access to source repositories, deployment pipelines, cluster resources, and sensitive credentials. As a result, weaknesses affecting its internal services can quickly become pathways to broader infrastructure compromise.
Until an official patch becomes available, organizations should assume that internal cluster traffic cannot always be trusted. Restricting communication between workloads, enabling Kubernetes NetworkPolicy protections, and limiting access to critical Argo CD services remain the most effective measures for reducing exposure to this newly disclosed attack technique.
After an investigation of the breach, the organization discovered that between March and April, the hacker accessed files carrying personal data of employees.
It is a Japanese industrial manufacturer famous for its construction and agricultural work. Kubota has plants in 120 counties and currently employs over 52,000 people. Kubota has an annual revenue of $20 billion.
The North American division consists of facilities that make utility vehicles, tractors, and mowers.
“We discovered that files maintained by our human resources team were accessed as part of this incident. We carefully reviewed these files, and on June 16, 2026, we determined that one or more files may have contained personal information related to certain employees and their dependents,” Kubota reported on its site.
As per the announcement posted on the Kubota USA portal, the following employee information may have been revealed:
The specific data that was exposed varies per person. Kubota also started sending personalised mails to inform the individuals about the exact impact on them.
The notification information consists step by step instructions for using Kroll identity protection to help the targets address the threats coming from the leak of their personal data.
Kubota has specially advised people to look out for bank accounts and healthcare related statements and promptly report any malicious activity to the concerned authorities.
Kubot has implemented robust security measures to avoid such incidents from happening in the future.
No cybercrime gangs, data extortion gangs, or ransomware gangs have claimed responsibility for the Kubota breach.
Kubota did not report any operational or business disruptions due to the breach.
On ensuring employee safety, Kubota said, “We take the privacy and confidentiality of our employees’ information very seriously. To help prevent something like this from happening again, we have taken and will continue to take steps to further enhance our existing security measures.”
Anthropic is preparing to restore access to its Claude Fable 5 artificial intelligence model after the U.S. Department of Commerce lifted export controls that had temporarily restricted deployment of the company's most advanced AI systems.
The company announced on X that access to Claude Fable 5 will begin returning on Wednesday following the government's decision. Anthropic also confirmed that the export restrictions affecting both Claude Fable 5 and Claude Mythos 5 have been removed.
"We've received notice that the Department of Commerce has lifted export controls on Claude Fable 5 and Mythos 5," the company said in its statement, adding that it will begin restoring access on Wednesday and provide additional updates as the rollout progresses.
Anthropic also thanked its community for its patience during the temporary suspension and acknowledged the teams involved in preparing the models for redeployment.
Although the rollout is set to begin immediately, the company has not clarified whether Claude Fable 5 will become available to all users at the same time. It remains uncertain whether users outside the United States will regain access during the initial phase of the deployment or whether availability will expand gradually across different regions.
The export restrictions were introduced earlier after U.S. authorities raised national security concerns surrounding the deployment of highly capable frontier AI models. During that period, Anthropic temporarily suspended access while it worked to comply with government requirements and strengthen safeguards governing the release of its latest systems.
While restoring access to its models, Anthropic also appears to be expanding identity verification measures for certain Claude services.
Recent references to Know Your Customer (KYC) procedures discovered on the company's website suggest that some users may soon be required to verify their identities before accessing specific Claude capabilities. The references have prompted speculation that advanced models such as Claude Fable 5 could initially be limited to verified users or become available only in certain regions as Anthropic gradually expands access.
According to Anthropic's support documentation, identity verification is being introduced for a limited number of use cases. Users may encounter verification requests when using particular Claude features, during routine platform integrity reviews, or as part of broader safety, security and regulatory compliance checks.
The company says the verification process is intended to reduce abuse of its AI systems, enforce platform usage policies and meet legal obligations associated with operating increasingly powerful AI technologies.
"Being responsible with powerful technology starts with knowing who is using it," Anthropic said while explaining the purpose of the new verification measures.
Anthropic has selected Persona as its identity verification provider. Users who are asked to complete verification may be required to submit a valid government-issued photo identification document, including a passport, driver's license, state or provincial identification card, or a national identity card.
The company notes that several forms of identification will not be accepted during the verification process. These include photocopies, screenshots, scanned documents, mobile IDs, student identification cards, employee badges, bank cards and temporary paper identification documents.
Some users may also be asked to complete a live selfie verification using the camera on a computer or mobile device. According to Anthropic, the entire verification process typically takes less than five minutes to complete.
Addressing privacy concerns, the company says identity documents and selfie data are collected and stored by Persona rather than directly within Anthropic's own systems. However, Anthropic may access verification records through Persona when necessary, including during account review or appeal processes.
Anthropic also emphasized that identity verification information is not used to train Claude's AI models. Instead, the data is used solely to confirm a user's identity and to satisfy the company's legal, safety and compliance responsibilities.
The restoration of Claude Fable 5, together with the introduction of targeted identity verification measures, reflects the growing intersection of frontier AI development, government oversight and platform security. As developers release increasingly capable AI systems, compliance requirements, export regulations and stronger user verification are becoming a more prominent part of deploying advanced models responsibly.
WhatsApp users will soon have a new option to talk without exposing their contact numbers. Prior to the wider update set for this year, WhatsApp has started launching username reservations in advance, permitting people to pre-claim a unique username before the feature becomes publicly available.
“For most people, choosing a WhatsApp username should be something unique that only people you want to contact you will know. If you need help picking one, we have a username generator to make one work just for you. We also know that some people like creators, small businesses, and organizations may want to maintain a consistent presence online. For them, we reserved an option to claim their existing Instagram or Facebook username on WhatsApp.” WhatsApp wrote in its blog.
This move is said to be WhatsApp’s one of the biggest privacy-focused modifications, allowing users to start chats through a username instead of showing their contact number. WhatsApp released the feature in an official blog post recently, and said the feature launch will take place gradually in the next few months.
The company has started allowing users to book a username in advance so that they can choose the handle they want and have a better chance. The early reservation process is important because WhatsApp now has over three billion users across the world. This feature will be optional and gradually allow users to replace their contact number with a user handle when texting someone for the first time (but the username has to be turned on).
Users can see the feature by updating to the latest version and going to Settings > Account > Username.
The users will get an in-app notification when the feature is available in their country.
If someone has already taken your user name, WhatsApp will offer a built-in userhandle generator that provides alternative unique handles.
Contrary to many social media platforms, WhatsApp will not launch a searchable username directory. Users can only contact someone if they know the specific username.
Every major technological change has followed a familiar pattern: organizations embrace innovation first, while security teams are left adapting controls after deployment. Cloud computing, Software-as-a-Service (SaaS), and DevOps all reshaped enterprise security in this way. Agentic AI is now driving the next transformation, but with a more complex challenge. Unlike conventional applications, AI agents actively authenticate, interact with APIs, query databases, generate code, and execute workflows across production environments, often using credentials and permissions that organizations have yet to fully catalogue.
This changes the conversation around AI security. Rather than focusing solely on what an AI model can generate, security leaders must determine who an AI agent represents, what systems it can access, who is accountable for its actions, and whether its privileges can be modified or revoked as business requirements evolve.
Traditional identity and access management programs were designed around employees whose access follows established roles and review processes. The rapid expansion of machine identities, including service accounts, API keys, certificates, and workload identities, already challenged that approach. Autonomous AI agents introduce another level of complexity because they can interpret objectives, make decisions, and perform actions independently while operating at machine speed. They can also be deployed by developers, embedded into SaaS platforms, delegated permissions by users, and continue running long after their original purpose has ended.
Static access controls are increasingly inadequate for these systems. An AI assistant summarizing customer support tickets requires far fewer privileges than one capable of issuing refunds, modifying customer records, or deploying production infrastructure. Instead of relying on permanent permissions, organizations should adopt contextual, task-specific, time-limited, and continuously evaluated access policies that adjust according to an agent's responsibilities.
The rapid growth of agentic AI also introduces three identity risks that security teams cannot ignore. Many enterprises already lack visibility into AI agents operating across cloud services, developer environments, and business applications, making ownership and accountability difficult to establish. At the same time, broad permissions granted during testing frequently evolve into long-term identity debt, leaving agents with unnecessary administrative access. Attackers are also exploiting prompt injection techniques, manipulating trusted agents through untrusted content to perform unintended actions when effective privilege boundaries are absent.
Addressing these risks requires identity-centric governance rather than a separate AI security strategy. Every AI agent should possess a unique identity, a clearly assigned owner, a defined business purpose, and a controlled lifecycle supported by strong credential management and continuous monitoring. Automated discovery, policy enforcement, and access reviews will become essential as organizations deploy growing numbers of autonomous systems.
As enterprises integrate agentic AI into everyday operations, the security question is no longer limited to what AI can produce. The greater concern is what autonomous agents are authorized to do, and whether those identities remain governed throughout their entire lifecycle. Organizations that strengthen identity governance today will be better positioned to embrace AI-driven innovation without expanding their attack surface.
China's latest open-weight artificial intelligence model is drawing attention within the cybersecurity community after independent evaluations indicated that it can rival some of the vulnerability detection capabilities of leading U.S. frontier AI systems. The findings are fueling renewed debate over whether restricting access to advanced American AI models is enough to slow the spread of powerful cyber capabilities.
Chinese AI company Zhipu AI, also known as Z.ai, released its GLM-5.2 model on June 13 under a permissive open-weight license. Unlike proprietary AI systems that are only accessible through controlled cloud services, open-weight models allow researchers and developers to download the model weights and run them on their own hardware. This approach enables offline deployment, customization through fine-tuning, and unrestricted experimentation without requiring ongoing approval from the model developer.
The release stands in contrast to Anthropic's Claude Mythos, one of several advanced AI systems whose availability has been limited under U.S. export controls because of concerns that highly capable models could be misused for offensive cyber operations. While GLM-5.2 still falls behind leading models from Anthropic and OpenAI across many general-purpose reasoning benchmarks, recent testing suggests it performs remarkably well in one highly specialized area: identifying software vulnerabilities.
Independent benchmarking conducted by Semgrep found that GLM-5.2 achieved an F1 score of 39% when detecting Insecure Direct Object Reference (IDOR) vulnerabilities. IDOR flaws arise when applications expose internal object identifiers without properly verifying whether a user is authorized to access the requested resource, making them a common source of unauthorized data access and privilege abuse. Under the same evaluation conditions, Claude Code recorded scores ranging from 32% to 37%, placing GLM-5.2 slightly ahead in this specific cybersecurity task.
The benchmark also underlined a notable economic advantage. Researchers estimated that GLM-5.2 identified vulnerabilities at an average cost of approximately $0.17 per finding, roughly one-sixth of the cost associated with comparable Claude-based workflows. Lower operating costs could make advanced AI-assisted vulnerability research accessible to a much broader range of organizations, independent researchers, and software security teams.
Additional benchmarking conducted by Graphistry reached similar conclusions, reinforcing the view that an openly downloadable Chinese model can compete with frontier U.S. AI systems in narrowly focused cybersecurity applications. The independent evaluations are particularly noteworthy because they relied on standardized testing methodologies designed to reduce benchmark contamination and minimize vendor-specific bias.
The findings arrive amid growing concern in Washington over the national security implications of frontier artificial intelligence. The Trump administration has increasingly treated advanced AI models such as Mythos and Fable as strategic technologies because of their ability to automate complex cybersecurity tasks, including discovering previously unknown software vulnerabilities that could potentially be weaponized in cyber operations.
Those concerns have shaped U.S. export control policies that restrict access to some advanced AI systems for foreign organizations, including researchers based in China. The underlying assumption behind these controls is that limiting access to the most capable American models would delay competing nations from acquiring comparable cyber capabilities. GLM-5.2's performance is prompting renewed questions about whether restricting model access alone can achieve that objective when capable alternatives are being developed elsewhere.
The discussion is further informed by Anthropic's Project Glasswing, which previously demonstrated the cybersecurity potential of frontier AI by identifying more than 10,000 critical software vulnerabilities during its initial research phase. The project illustrated how advanced language models can assist security researchers in reviewing large codebases, prioritizing weaknesses, and accelerating vulnerability discovery. If open-weight models begin approaching similar levels of performance, comparable capabilities may no longer remain exclusive to a small number of tightly controlled AI providers.
The latest development also comes shortly after OpenAI introduced GPT-5.6 with limited availability because of concerns surrounding misuse. Together, these decisions reflect a broader effort by U.S. AI developers to place increasingly capable models behind controlled access mechanisms while balancing innovation with national security considerations.
Cybersecurity researchers note that advances in open-weight models create opportunities as well as risks. Defensive teams could use these systems to automate code reviews, strengthen secure software development practices, and accelerate vulnerability remediation. At the same time, threat actors may attempt to exploit the same capabilities to identify weaknesses in software before organizations have an opportunity to patch them. Because GLM-5.2 can be downloaded and operated locally, these capabilities are available globally regardless of whether users have access to commercial U.S. AI services.
The emergence of GLM-5.2 does not necessarily indicate that Chinese AI has surpassed American frontier models across every benchmark. However, its strong performance in specialized cybersecurity evaluations suggests that the technological gap is narrowing in selected high-value domains. The development is likely to intensify debate over whether hardware restrictions and access controls alone are sufficient to preserve leadership in AI-driven cybersecurity, or whether future policy must place greater emphasis on strengthening defensive capabilities, accelerating software patching, and preparing for a world where advanced vulnerability discovery tools become increasingly accessible worldwide.