Vulnerability Details CVE-2026-42297
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operations (create, read, update, delete). Any authenticated user — including those using fake Bearer tokens — can create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits. This issue has been patched in version 4.0.5.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 2.5%
CVSS Severity
CVSS v3 Score 8.3
References
- https://github.com/argoproj/argo-workflows/commit/09fff05e0830c14a5e36cc40597ad84881db1ab6
- https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5
- https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xchc-cqwg-g76q
- https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xchc-cqwg-g76q
Products affected by CVE-2026-42297
-
cpe:2.3:a:argoproj:argo_workflows:4.0.0
-
cpe:2.3:a:argoproj:argo_workflows:4.0.1
-
cpe:2.3:a:argoproj:argo_workflows:4.0.2
-
cpe:2.3:a:argoproj:argo_workflows:4.0.3
-
cpe:2.3:a:argoproj:argo_workflows:4.0.4