High severityNVD Advisory· Published Mar 11, 2026· Updated Mar 11, 2026
Argo Workflows has unauthorized access to Argo Workflows Template
CVE-2026-28229
Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization: Bearer nothing token can leak sensitive template content, including embedded Secret manifests. This vulnerability is fixed in 4.0.2 and 3.7.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/argoproj/argo-workflows/v3Go | >= 3.7.0, < 3.7.11 | 3.7.11 |
github.com/argoproj/argo-workflows/v4Go | < 4.0.2 | 4.0.2 |
Affected products
19- osv-coords18 versionspkg:apk/chainguard/argo-workflow-controller-3.6pkg:apk/chainguard/argo-workflow-controller-fips-3.6pkg:apk/chainguard/argo-workflow-executor-3.6pkg:apk/chainguard/argo-workflow-executor-fips-3.6pkg:apk/chainguard/argo-workflows-3.6pkg:apk/chainguard/argo-workflows-fips-3.6pkg:apk/chainguard/kubeflow-pipelines-apiserverpkg:apk/chainguard/kubeflow-pipelines-cache_serverpkg:apk/chainguard/kubeflow-pipelines-persistence_agentpkg:apk/chainguard/kubeflow-pipelines-scheduledworkflowpkg:apk/wolfi/kubeflow-pipelines-apiserverpkg:apk/wolfi/kubeflow-pipelines-cache_serverpkg:apk/wolfi/kubeflow-pipelines-persistence_agentpkg:apk/wolfi/kubeflow-pipelines-scheduledworkflowpkg:bitnami/argo-workflowspkg:golang/github.com/argoproj/argo-workflows/v3pkg:golang/github.com/argoproj/argo-workflows/v4pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 3.6.19-r6+ 17 more
- (no CPE)range: < 3.6.19-r6
- (no CPE)range: < 3.6.19-r8
- (no CPE)range: < 3.6.19-r6
- (no CPE)range: < 3.6.19-r8
- (no CPE)range: < 3.6.19-r6
- (no CPE)range: < 3.6.19-r8
- (no CPE)range: < 2.16.0-r4
- (no CPE)range: < 2.16.0-r4
- (no CPE)range: < 2.16.0-r4
- (no CPE)range: < 2.16.0-r4
- (no CPE)range: < 2.16.0-r4
- (no CPE)range: < 2.16.0-r4
- (no CPE)range: < 2.16.0-r4
- (no CPE)range: < 2.16.0-r4
- (no CPE)range: < 3.7.11
- (no CPE)range: >= 3.7.0, < 3.7.11
- (no CPE)range: < 4.0.2
- (no CPE)range: < 0.0.20260317T205859-150000.1.152.1
- Range: >= 4.0.0, < 4.0.2
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-56px-hm34-xqj5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28229ghsaADVISORY
- github.com/argoproj/argo-workflows/commit/34afaf9c0c36f1ba8645d483ea4752cfc4a391e8ghsaWEB
- github.com/argoproj/argo-workflows/releases/tag/v3.7.11ghsaWEB
- github.com/argoproj/argo-workflows/releases/tag/v4.0.2ghsaWEB
- github.com/argoproj/argo-workflows/security/advisories/GHSA-56px-hm34-xqj5ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.