PatchSiren cyber security CVE debrief
CVE-2026-28229 Argoproj CVE debrief
CVE-2026-28229 is a critical vulnerability in Argo Workflows, an open-source container-native workflow engine for Kubernetes. The vulnerability allows any client to retrieve WorkflowTemplates and ClusterWorkflowTemplates without proper authorization, potentially leaking sensitive template content, including embedded Secret manifests. This issue was fixed in versions 4.0.2 and 3.7.11. The vulnerability has a CVSS score of 9.8 and is considered CRITICAL.
- Vendor
- Argoproj
- Product
- Argo Workflows
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-11
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-11
- Advisory updated
- 2026-06-30
Who should care
Organizations using Argo Workflows, especially those with sensitive data in workflow templates, should prioritize patching to prevent unauthorized access. Kubernetes administrators and security teams should assess their exposure and take necessary actions. Developers using Argo Workflows in their applications should also be aware of this vulnerability.
Technical summary
The vulnerability exists in the Workflow templates endpoints of Argo Workflows. Prior to versions 4.0.2 and 3.7.11, any client can retrieve WorkflowTemplates and ClusterWorkflowTemplates without proper authorization. This can lead to the exposure of sensitive template content, including embedded Secret manifests. The issue arises from the lack of proper authorization checks in the affected endpoints.
Defensive priority
High priority should be given to patching Argo Workflows installations to prevent exploitation. Immediate action is recommended for environments with sensitive data in workflow templates.
Recommended defensive actions
- Patch Argo Workflows to version 4.0.2 or 3.7.11
- Review and update workflow templates to ensure sensitive data is properly secured
- Implement additional authorization checks for workflow template access
- Monitor for suspicious activity related to workflow template retrieval
- Consider compensating controls, such as limiting access to workflow templates
Evidence notes
The vulnerability was reported and fixed by the Argo Workflows maintainers. The CVE was published on March 11, 2026, and last modified on June 30, 2026. Multiple sources, including NVD and Red Hat, have documented this vulnerability.
Official resources
-
CVE-2026-28229 CVE record
CVE.org
-
CVE-2026-28229 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article was generated with AI assistance based on the supplied source corpus.