PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-28229 Argoproj CVE debrief

CVE-2026-28229 is a critical vulnerability in Argo Workflows, an open-source container-native workflow engine for Kubernetes. The vulnerability allows any client to retrieve WorkflowTemplates and ClusterWorkflowTemplates without proper authorization, potentially leaking sensitive template content, including embedded Secret manifests. This issue was fixed in versions 4.0.2 and 3.7.11. The vulnerability has a CVSS score of 9.8 and is considered CRITICAL.

Vendor
Argoproj
Product
Argo Workflows
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-11
Original CVE updated
2026-06-30
Advisory published
2026-03-11
Advisory updated
2026-06-30

Who should care

Organizations using Argo Workflows, especially those with sensitive data in workflow templates, should prioritize patching to prevent unauthorized access. Kubernetes administrators and security teams should assess their exposure and take necessary actions. Developers using Argo Workflows in their applications should also be aware of this vulnerability.

Technical summary

The vulnerability exists in the Workflow templates endpoints of Argo Workflows. Prior to versions 4.0.2 and 3.7.11, any client can retrieve WorkflowTemplates and ClusterWorkflowTemplates without proper authorization. This can lead to the exposure of sensitive template content, including embedded Secret manifests. The issue arises from the lack of proper authorization checks in the affected endpoints.

Defensive priority

High priority should be given to patching Argo Workflows installations to prevent exploitation. Immediate action is recommended for environments with sensitive data in workflow templates.

Recommended defensive actions

  • Patch Argo Workflows to version 4.0.2 or 3.7.11
  • Review and update workflow templates to ensure sensitive data is properly secured
  • Implement additional authorization checks for workflow template access
  • Monitor for suspicious activity related to workflow template retrieval
  • Consider compensating controls, such as limiting access to workflow templates

Evidence notes

The vulnerability was reported and fixed by the Argo Workflows maintainers. The CVE was published on March 11, 2026, and last modified on June 30, 2026. Multiple sources, including NVD and Red Hat, have documented this vulnerability.

Official resources

This article was generated with AI assistance based on the supplied source corpus.