Medium severity4.9GHSA Advisory· Published May 9, 2026· Updated May 15, 2026

CVE-2026-42295

Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials (S3 access keys, secret keys, GCS service account keys, Azure account keys, Git passwords, etc.) in plaintext on artifact operation. Any user with read access to workflow pod logs can extract these credentials. This issue has been patched in version 4.0.5.

Affected products

Argoproj/Argo WorkflowsGHSA
Range: >= 4.0.0, < 4.0.5

Patches

bdd40908580f

Merge commit from fork

https://github.com/argoproj/argo-workflowsAlan ClucasApr 23, 2026via ghsa

commit

1 file changed · +15 −7

workflow/artifacts/logging/driver.go+15 −7 modified

@@ -21,7 +21,7 @@ func New(d common.ArtifactDriver) common.ArtifactDriver {
 
 func (d *driver) Load(ctx context.Context, inputArtifact *wfv1.Artifact, path string) error {
 	log := logging.RequireLoggerFromContext(ctx)
-	log.WithField("driver", d.ArtifactDriver).Info(ctx, "Loading artifact")
+	log.Info(ctx, "Loading artifact")
 	t := time.Now()
 	key, _ := inputArtifact.GetKey()
 	err := d.ArtifactDriver.Load(ctx, inputArtifact, path)
@@ -35,7 +35,7 @@ func (d *driver) Load(ctx context.Context, inputArtifact *wfv1.Artifact, path st
 
 func (d *driver) OpenStream(ctx context.Context, inputArtifact *wfv1.Artifact) (io.ReadCloser, error) {
 	log := logging.RequireLoggerFromContext(ctx)
-	log.WithField("driver", d.ArtifactDriver).Info(ctx, "Opening stream")
+	log.Info(ctx, "Opening stream")
 	t := time.Now()
 	key, _ := inputArtifact.GetKey()
 	rc, err := d.ArtifactDriver.OpenStream(ctx, inputArtifact)
@@ -49,7 +49,7 @@ func (d *driver) OpenStream(ctx context.Context, inputArtifact *wfv1.Artifact) (
 
 func (d *driver) Save(ctx context.Context, path string, outputArtifact *wfv1.Artifact) error {
 	log := logging.RequireLoggerFromContext(ctx)
-	log.WithField("driver", d.ArtifactDriver).Info(ctx, "Saving artifact")
+	log.Info(ctx, "Saving artifact")
 	t := time.Now()
 	key, _ := outputArtifact.GetKey()
 	err := d.ArtifactDriver.Save(ctx, path, outputArtifact)
@@ -63,13 +63,21 @@ func (d *driver) Save(ctx context.Context, path string, outputArtifact *wfv1.Art
 
 func (d *driver) Delete(ctx context.Context, s *wfv1.Artifact) error {
 	log := logging.RequireLoggerFromContext(ctx)
-	log.WithField("driver", d.ArtifactDriver).Info(ctx, "Deleting artifact")
-	return d.ArtifactDriver.Delete(ctx, s)
+	log.Info(ctx, "Deleting artifact")
+	t := time.Now()
+	key, _ := s.GetKey()
+	err := d.ArtifactDriver.Delete(ctx, s)
+	log.WithField("artifactName", s.Name).
+		WithField("key", key).
+		WithField("duration", time.Since(t)).
+		WithError(err).
+		Info(ctx, "Delete artifact")
+	return err
 }
 
 func (d *driver) ListObjects(ctx context.Context, artifact *wfv1.Artifact) ([]string, error) {
 	log := logging.RequireLoggerFromContext(ctx)
-	log.WithField("driver", d.ArtifactDriver).Info(ctx, "Listing objects")
+	log.Info(ctx, "Listing objects")
 	t := time.Now()
 	key, _ := artifact.GetKey()
 	list, err := d.ArtifactDriver.ListObjects(ctx, artifact)
@@ -83,7 +91,7 @@ func (d *driver) ListObjects(ctx context.Context, artifact *wfv1.Artifact) ([]st
 
 func (d *driver) IsDirectory(ctx context.Context, artifact *wfv1.Artifact) (bool, error) {
 	log := logging.RequireLoggerFromContext(ctx)
-	log.WithField("driver", d.ArtifactDriver).Info(ctx, "Checking if directory")
+	log.Info(ctx, "Checking if directory")
 	t := time.Now()
 	key, _ := artifact.GetKey()
 	isDir, err := d.ArtifactDriver.IsDirectory(ctx, artifact)

cvss	0.319
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000

CVE-2026-42295

Description

Affected products

Patches

Vulnerability mechanics

References

News mentions