CVE-2026-28229

Summary

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization: Bearer nothing token can leak sensitive template content, including embedded Secret manifests. This vulnerability is fixed in 4.0.2 and 3.7.11.

Affected Software

VendorProductVersion RangeStatus
argoprojargo-workflows>= 4.0.0, < 4.0.2affected
argoprojargo-workflows< 3.7.11affected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

argo-workflows: Argo Workflows has unauthorized access to Argo Workflows Template

Additional References

References