PatchSiren

argoproj CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH argoproj CVE published 2026-05-09

CVE-2026-42297

CVE-2026-42297 is a high-severity authorization flaw in Argo Workflows’ Sync Service ConfigMap-backed provider. In affected versions 4.0.0 through before 4.0.5, the provider accepted create, read, update, and delete actions on synchronization ConfigMaps without performing authorization checks. The issue was patched in Argo Workflows v4.0.5.

HIGH argoproj CVE published 2026-05-09

CVE-2026-42296

CVE-2026-42296 is an authorization/control bypass in Argo Workflows. According to the advisory, a user who only has create Workflow permission could bypass templateReferencing: Strict and submit workflows that change security-relevant pod settings, including host network access, service account selection, pod security context, tolerations, and service account token mounting. The issue was fixed in Argo Wo [truncated]

HIGH argoproj CVE published 2026-05-09

CVE-2026-42295

CVE-2026-42295 affects Argo Workflows and can expose artifact repository credentials in plaintext through workflow executor logs. In versions 4.0.0 through before 4.0.5, anyone with read access to workflow pod logs could extract secrets such as S3 access keys, GCS service account keys, Azure account keys, or Git passwords. The issue is fixed in Argo Workflows 4.0.5.

HIGH argoproj CVE published 2026-05-09

CVE-2026-42294

CVE-2026-42294 is a high-severity denial-of-service vulnerability in Argo Workflows. Before versions 3.7.14 and 4.0.5, the Webhook Interceptor on the publicly accessible /api/v1/events/ endpoint read the full request body into memory before authenticating the request or checking its signature. An attacker could send an extremely large request body and force excessive memory allocation, potentially causing [truncated]

LOW argoproj CVE published 2026-05-09

CVE-2026-42183

CVE-2026-42183 affects Argo Workflows 4.0.0 through before 4.0.5. In the affected SSO/RBAC configuration, a nil pointer dereference in gatekeeper authorization handling can panic the server and interrupt service for certain authenticated users. The issue is patched in Argo Workflows 4.0.5.

CRITICAL argoproj CVE published 2026-05-07

CVE-2026-42880

Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes, has a critical vulnerability (CVE-2026-42880) in its ServerSideDiff endpoint. This vulnerability, with a CVSS score of 9.6, allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. The issue affects Argo CD versions from 3.2.0 to [truncated]

HIGH argoproj CVE published 2026-05-02

CVE-2026-43824

CVE-2026-43824 is a vulnerability in Argo CD, a popular open-source continuous delivery tool for Kubernetes. The issue affects versions 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9. The vulnerability is related to the ServerSideDiff feature, which allows reading cleartext Kubernetes Secret data. This could potentially lead to unauthorized access to sensitive information. The Common Vulnerability Scoring Sys [truncated]

HIGH Argoproj CVE published 2026-04-23

CVE-2026-40886

CVE-2026-40886 is a high-severity vulnerability in Argo Workflows, an open-source container-native workflow engine. The vulnerability causes a controller-wide panic when a workflow pod carries a malformed workflows.argoproj.io/pod-gc-strategy annotation. This panic occurs inside an informer goroutine, outside the controller's recover() scope, crashing the entire controller process. The affected pod persis [truncated]

HIGH Argoproj CVE published 2026-03-11

CVE-2026-31892

CVE-2026-31892 is a high-severity vulnerability in Argo Workflows, an open-source container-native workflow engine for Kubernetes. The vulnerability allows a user who can submit Workflows to completely bypass all security settings defined in a WorkflowTemplate by including a podSpecPatch field in their Workflow submission. This bypass occurs even when the controller is configured with templateReferencing: [truncated]

CRITICAL Argoproj CVE published 2026-03-11

CVE-2026-28229

CVE-2026-28229 is a critical vulnerability in Argo Workflows, an open-source container-native workflow engine for Kubernetes. The vulnerability allows any client to retrieve WorkflowTemplates and ClusterWorkflowTemplates without proper authorization, potentially leaking sensitive template content, including embedded Secret manifests. This issue was fixed in versions 4.0.2 and 3.7.11. The vulnerability has [truncated]

HIGH Argoproj CVE published 2026-01-21

CVE-2026-23960

CVE-2026-23960 is a high-severity vulnerability in Argo Workflows, an open-source container-native workflow engine for Kubernetes. The vulnerability allows stored XSS attacks in the artifact directory listing, enabling any workflow author to execute arbitrary JavaScript in another user's browser under the Argo Server origin. This could lead to API actions with the victim's privileges. The vulnerability ha [truncated]