CVE Catalog

CVE-2026-28229

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.65%

47th percentile - higher than 47% of all known CVEs

Summary

Argo Workflows prior to versions 4.0.2 and 3.7.11 allows unauthorized access to WorkflowTemplates and ClusterWorkflowTemplates via any request with an Authorization: Bearer nothing token. This can leak sensitive content, including embedded Secret manifests.

Risk Assessment

The risk involves potential disclosure of confidential information such as passwords, API keys, or certificates stored in workflow templates, which could enable an attacker to escalate privileges or access other resources.

Recommendation

Immediately upgrade Argo Workflows to version 4.0.2 or 3.7.11, which contain the fix for this vulnerability. Additionally, restrict API access using network policies and authentication mechanisms.

Original NVD description (English source)

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization: Bearer nothing token can leak sensitive template content, including embedded Secret manifests. This vulnerability is fixed in 4.0.2 and 3.7.11.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS