CVE-2026-42297

HIGH SEVERITY

Vulnerability Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operations (create, read, update, delete). Any authenticated user — including those using fake Bearer tokens — can create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits. This issue has been patched in version 4.0.5.

Vulnerability Details

Published Date

May 04, 2026

Last Modified

May 12, 2026

CWE ID

CWE-862

Source

GitHub

Vendor

Product

github.com/argoproj/argo-workflows/v4

External References

https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xchc-cqwg-g76q
https://github.com/argoproj/argo-workflows/commit/09fff05e0830c14a5e36cc40597ad84881db1ab6
https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5
https://github.com/advisories/GHSA-xchc-cqwg-g76q

CVE-2026-42297

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment