CVE-2026-28229
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk47th percentile - higher than 47% of all known CVEs
Summary
Argo Workflows prior to versions 4.0.2 and 3.7.11 allows unauthorized access to WorkflowTemplates and ClusterWorkflowTemplates via any request with an Authorization: Bearer nothing token. This can leak sensitive content, including embedded Secret manifests.
Risk Assessment
The risk involves potential disclosure of confidential information such as passwords, API keys, or certificates stored in workflow templates, which could enable an attacker to escalate privileges or access other resources.
Recommendation
Immediately upgrade Argo Workflows to version 4.0.2 or 3.7.11, which contain the fix for this vulnerability. Additionally, restrict API access using network policies and authentication mechanisms.
Original NVD description (English source)
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization: Bearer nothing token can leak sensitive template content, including embedded Secret manifests. This vulnerability is fixed in 4.0.2 and 3.7.11.

