PatchSiren cyber security CVE debrief
CVE-2026-42294 Unknown Vendor CVE debrief
CVE-2026-42294 is a high-severity denial-of-service vulnerability in Argo Workflows. Before versions 3.7.14 and 4.0.5, the Webhook Interceptor on the publicly accessible /api/v1/events/ endpoint read the full request body into memory before authenticating the request or checking its signature. An attacker could send an extremely large request body and force excessive memory allocation, potentially causing an out-of-memory crash in Argo Server.
- Vendor
- Unknown Vendor
- Product
- Unknown
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-09
- Original CVE updated
- 2026-05-09
- Advisory published
- 2026-05-09
- Advisory updated
- 2026-05-09
Who should care
Teams operating Argo Workflows, especially clusters exposing Argo Server to untrusted networks or relying on the /api/v1/events/ webhook endpoint for inbound integrations. Kubernetes platform owners and SREs should also care because the failure mode is service disruption rather than data exposure.
Technical summary
The issue is a resource-exhaustion flaw (CWE-770). The vulnerable path accepts webhook traffic on /api/v1/events/ and loads the entire body before any authentication or signature validation occurs. That ordering lets an unauthenticated caller force memory growth by submitting a very large body, creating a denial-of-service condition and possible OOM termination. The published fix is available in Argo Workflows v3.7.14 and v4.0.5.
Defensive priority
High for any deployment exposing Argo Server or webhook ingress to untrusted clients; prioritize immediate patching if the endpoint is reachable from outside trusted networks.
Recommended defensive actions
- Upgrade Argo Workflows to v3.7.14 or later on the 3.7 line, or v4.0.5 or later on the 4.0 line.
- Review whether /api/v1/events/ is internet-facing or reachable from broad network segments; restrict access to trusted webhook sources where possible.
- Add or tighten edge controls that limit request body size for webhook paths to reduce blast radius from oversized submissions.
- Monitor Argo Server for abnormal memory growth, restarts, or OOMKill events around webhook traffic.
- Validate that any webhook authentication or signature validation happens before expensive request processing in your deployment path, if you use additional middleware or proxies.
Evidence notes
The assessment is based on the supplied NVD record and its official GitHub references. The CVE description states that the Webhook Interceptor loads the entire body before authentication/signature verification and that versions 3.7.14 and 4.0.5 contain the patch. Reference URLs include the upstream commit, the two fixed release tags, and the GitHub Security Advisory.
Official resources
Published 2026-05-09. The provided sources identify the fix as available in Argo Workflows v3.7.14 and v4.0.5.