CVE-2026-42297 Unknown Vendor CVE debrief

Who should care

Operators of Argo Workflows clusters running version 4.0.0 through 4.0.4, especially environments where the Sync Service uses the ConfigMap-backed provider and where authenticated users can reach the workflow API.

Technical summary

The vulnerable code path is the Sync Service’s ConfigMap-backed provider (server/sync/sync_cm.go). According to the advisory and NVD record, all CRUD operations on the synchronization ConfigMaps were missing authorization checks. As a result, any authenticated user—including one presenting a fake Bearer token, per the vendor description—could manipulate ConfigMaps that store synchronization limits. NVD assigns a CVSS 4.0 vector with network exposure, low attack complexity, low privileges required, no user interaction, and high integrity/availability impact, consistent with an authorization-bypass issue (CWE-862).

Defensive priority

Immediate for any cluster still on Argo Workflows 4.0.0-4.0.4; upgrade to 4.0.5 or later as soon as possible.

Recommended defensive actions

• Upgrade Argo Workflows to version 4.0.5 or later.
• Review which users or services can authenticate to the workflow API and restrict exposure where possible.
• Audit existing ConfigMaps used for synchronization limits for unauthorized changes or unexpected values.
• Check logs and audit trails for unusual CRUD activity against Sync Service ConfigMaps around the disclosure window.
• Validate that authentication and authorization are enforced consistently in front of the Sync Service paths after upgrading.

Evidence notes

This debrief is based on the supplied NVD CVE record and the linked GitHub security advisory, patch commit, and v4.0.5 release tag. The NVD entry provides the CVSS 4.0 vector and CWE-862 classification; the GitHub references identify the fix location and the patched release.

Official resources