CVE-2026-42295 Unknown Vendor CVE debrief

Who should care

Argo Workflows operators, Kubernetes platform teams, security and incident response teams, and anyone who can read workflow pod logs or manages artifact repository credentials.

Technical summary

The vulnerability is a sensitive-data exposure issue in the workflow executor's artifact handling path. During artifact operations, credentials for artifact repositories are written to logs in plaintext, creating a path for credential theft through log access. NVD lists the issue at CVSS 4.0 8.5 (HIGH) with a vector indicating network-based attack conditions, no user interaction, and high confidentiality/integrity impact; GitHub advisory metadata maps the weakness to CWE-522.

Defensive priority

High

Recommended defensive actions

• Upgrade Argo Workflows to version 4.0.5 or later.
• Restrict access to workflow pod logs to the minimum required set of users and services.
• Rotate any artifact repository credentials that may have been exposed in logs.
• Audit existing workflow logs for plaintext credential exposure and remove or protect any sensitive records according to retention policy.
• Review artifact repository credential handling and logging controls to ensure secrets are never written to logs.

Evidence notes

The supplied CVE description states that Argo Workflows versions 4.0.0 to before 4.0.5 log artifact repository credentials in plaintext during artifact operations and that the issue is patched in 4.0.5. The NVD record supplies CVSS 4.0 vector AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N and cites GitHub advisory metadata identifying CWE-522. The official references supplied are the Argo Workflows v4.0.5 release and GHSA-7vf8-2cr6-54mf advisory.

Official resources