CVE-2026-42294
Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint, which is publicly accessible (albeit intended for webhooks). An attacker can send a request with an extremely large body (e.g., multiple gigabytes), causing the Argo Server to allocate excessive memory, potentially leading to an Out-Of-Memory (OOM) crash and denial of service. This issue has been patched in versions 3.7.14 and 4.0.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/argoproj/argo-workflows/v3Go | < 3.7.14 | 3.7.14 |
github.com/argoproj/argo-workflows/v4Go | >= 4.0.0, < 4.0.5 | 4.0.5 |
Affected products
5>= 4.0.0, < 4.0.5+ 1 more
- (no CPE)range: >= 4.0.0, < 4.0.5
- cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:*range: <3.7.14
- osv-coords3 versionspkg:bitnami/argo-workflowspkg:golang/github.com/argoproj/argo-workflows/v3pkg:golang/github.com/argoproj/argo-workflows/v4
< 3.7.14+ 2 more
- (no CPE)range: < 3.7.14
- (no CPE)range: < 3.7.14
- (no CPE)range: >= 4.0.0, < 4.0.5
Patches
Vulnerability mechanics
References
6- github.com/argoproj/argo-workflows/commit/7abb4de6c3599e2d5d960ba4d5de4cf1df109965nvdPatchWEB
- github.com/argoproj/argo-workflows/security/advisories/GHSA-jcc8-g2q4-9fxqnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-jcc8-g2q4-9fxqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-42294ghsaADVISORY
- github.com/argoproj/argo-workflows/releases/tag/v3.7.14nvdRelease NotesWEB
- github.com/argoproj/argo-workflows/releases/tag/v4.0.5nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.