CRITICAL🇵🇱 Wersja polska

CVE-2026-28229

CVSS 9.8v3.1pub. 2026-03-11upd. 2026-06-30

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization: Bearer nothing token can leak sensitive template content, including embedded Secret manifests. This vulnerability is fixed in 4.0.2 and 3.7.11.

🤖 AI Analysis
How it works

API endpoints handling workflow templates (WorkflowTemplates and ClusterWorkflowTemplates) incorrectly verify authorization of incoming requests. An attacker can send an HTTP request with the 'Authorization: Bearer nothing' header — essentially any false token — and receive the full content of templates in response. These templates may contain embedded Kubernetes Secret manifests, leading to the leakage of sensitive authentication and configuration data. The error is classified as improper authorization (CWE-863), meaning the system does not correctly check whether the requesting entity has the right to access the resource.

Impact

An attacker without any permissions can read all workflow templates, including sensitive data embedded in them (e.g., passwords, tokens, API keys contained in Secret manifests). This can lead to compromise of the entire Kubernetes environment managed by Argo Workflows.

Mitigation & patch

Argo Workflows should be updated to version 4.0.2 or 3.7.11, in which the vulnerability has been fixed. Additionally, it is recommended to review workflow templates for the presence of embedded sensitive data and move them to dedicated secret management mechanisms.

Who is affected

Argo Workflows in versions earlier than 4.0.2 and earlier than 3.7.11

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Argoproj Argo Workflows

    APP
    Argoproj
    3.7.0 – 3.7.11 (bez)4.0.0 – 4.0.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Container
CWE
References

Related vulnerabilities

CVE-2026-42296HIGH8.1ten sam produkt

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernete...

CVE-2026-42297HIGH8.5ten sam produkt

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernete...

CVE-2026-42295HIGH8.5ten sam produkt

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernete...

CVE-2026-42294HIGH8.2ten sam produkt

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernete...

CVE-2026-40886HIGH7.7ten sam produkt

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernete...