Argo Workflows exposes artifact repository credentials in workflow-controller logs
Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Argo Workflows versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 expose artifact repository credentials in plaintext in workflow-controller pod logs. An attacker with permissions to read pod logs in a namespace running Argo Workflows can read the workflow-controller logs and obtain credentials to the artifact repository. Update to versions 3.6.12 or 3.7.3 to remediate the vulnerability. No known workarounds exist.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/argoproj/argo-workflows/v3Go | >= 3.7.0, < 3.7.3 | 3.7.3 |
github.com/argoproj/argo-workflows/v3Go | < 3.6.12 | 3.6.12 |
Affected products
1- Range: >= 3.7.0, < 3.7.3
Patches
218ad5138b6bcMerge commit from fork
1 file changed · +3 −2
workflow/controller/config.go+3 −2 modified@@ -18,11 +18,12 @@ import ( ) func (wfc *WorkflowController) updateConfig() error { - bytes, err := yaml.Marshal(wfc.Config) + _, err := yaml.Marshal(wfc.Config) if err != nil { return err } - log.Info("Configuration:\n" + string(bytes)) + log.Info("Configuration updated") + wfc.artifactRepositories = artifactrepositories.New(wfc.kubeclientset, wfc.namespace, &wfc.Config.ArtifactRepository) wfc.offloadNodeStatusRepo = sqldb.ExplosiveOffloadNodeStatusRepo wfc.wfArchive = sqldb.NullWorkflowArchive
bded09fe4abdMerge commit from fork
1 file changed · +2 −2
workflow/controller/config.go+2 −2 modified@@ -19,11 +19,11 @@ import ( ) func (wfc *WorkflowController) updateConfig(ctx context.Context) error { - bytes, err := yaml.Marshal(wfc.Config) + _, err := yaml.Marshal(wfc.Config) if err != nil { return err } - log.Info("Configuration:\n" + string(bytes)) + log.Info("Configuration updated") wfc.artifactRepositories = artifactrepositories.New(wfc.kubeclientset, wfc.namespace, &wfc.Config.ArtifactRepository) wfc.offloadNodeStatusRepo = persist.ExplosiveOffloadNodeStatusRepo wfc.wfArchive = persist.NullWorkflowArchive
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-c2hv-4pfj-mm2rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-62157ghsaADVISORY
- github.com/argoproj/argo-workflows/commit/18ad5138b6bcb2aba04e00b4ec657bc6b8fad8dfghsax_refsource_MISCWEB
- github.com/argoproj/argo-workflows/commit/bded09fe4abd37cb98d7fc81b4c14a6f5034e9abghsax_refsource_MISCWEB
- github.com/argoproj/argo-workflows/security/advisories/GHSA-c2hv-4pfj-mm2rghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2025-4024ghsaWEB
News mentions
0No linked articles in our index yet.