VYPR

Bitnami package

argo-workflows

pkg:bitnami/argo-workflows

Vulnerabilities (16)

  • CVE-2026-42297HigMay 9, 2026
    affected >= 4.0.0, < 4.0.5fixed 4.0.5

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operat

  • CVE-2026-42296HigMay 9, 2026
    affected < 3.7.14fixed 3.7.14

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts,

  • CVE-2026-42295MedMay 9, 2026
    affected >= 4.0.0, < 4.0.5fixed 4.0.5

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials (S3 access keys, secret keys, GCS service account keys, Azur

  • CVE-2026-42294HigMay 9, 2026
    affected < 3.7.14fixed 3.7.14

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. Thi

  • CVE-2026-42183MedMay 9, 2026
    affected >= 4.0.0, < 4.0.5fixed 4.0.5

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, a nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization() causes a panic (denial of service) for SSO users

  • CVE-2026-40886HigApr 23, 2026
    affected >= 3.6.5, < 3.7.14fixed 3.7.14

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed work

  • CVE-2026-31892Mar 11, 2026
    affected >= 2.9.0, < 3.7.11fixed 3.7.11

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 2.9.0 to before 4.0.2 and 3.7.11, A user who can submit Workflows can completely bypass all security settings defined in a WorkflowTemplate by including a podSpec

  • CVE-2026-28229Mar 11, 2026
    affected < 3.7.11fixed 3.7.11

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization

  • CVE-2026-23960Jan 21, 2026
    affected < 3.6.17fixed 3.6.17

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser u

  • CVE-2025-66626Dec 9, 2025
    affected < 2.5.3fixed 2.5.3

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's

  • CVE-2025-62157Oct 14, 2025
    affected < 3.6.12fixed 3.6.12

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Argo Workflows versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 expose artifact repository credentials in plaintext in workflow-controller pod logs. An attack

  • CVE-2025-62156Oct 14, 2025
    affected < 3.6.12fixed 3.6.12

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 contain a Zip Slip path traversal vulnerability in artifact extraction. During artifact extraction the unpack

  • CVE-2024-53862Dec 2, 2024
    affected >= 3.5.7, < 3.6.2fixed 3.6.2

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}`

  • CVE-2024-47827Oct 28, 2024
    affected >= 3.6.0-rc1, < 3.6.0-rc2fixed 3.6.0-rc2

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Due to a race condition in a global variable in 3.6.0-rc1, the argo workflows controller can be made to crash on-command by any user with access to execute a workflow.

  • CVE-2022-29164May 5, 2022
    affected >= 2.6.0, < 3.2.11fixed 3.2.11

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. In affected versions an attacker can create a workflow which produces a HTML artifact containing an HTML file that contains a script which uses XHR calls to interact w

  • CVE-2021-37914Aug 2, 2021
    affected < 3.1.4fixed 3.1.4

    In Argo Workflows through 3.1.3, if EXPRESSION_TEMPLATES is enabled and untrusted users are allowed to specify input parameters when running workflows, an attacker may be able to disrupt a workflow because expression template output is evaluated.