Go modules package
github.com/argoproj/argo-workflows/v3
pkg:golang/github.com/argoproj/argo-workflows/v3
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42296 | Hig | 8.1 | < 3.7.14 | 3.7.14 | May 9, 2026 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, | |
| CVE-2026-42294 | Hig | 7.5 | < 3.7.14 | 3.7.14 | May 9, 2026 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. Thi | |
| CVE-2026-40886 | Hig | 7.7 | >= 3.7.0, < 3.7.14 | 3.7.14 | Apr 23, 2026 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed work | |
| CVE-2026-31892 | — | < 3.7.11 | 3.7.11 | Mar 11, 2026 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 2.9.0 to before 4.0.2 and 3.7.11, A user who can submit Workflows can completely bypass all security settings defined in a WorkflowTemplate by including a podSpec | ||
| CVE-2026-28229 | — | >= 3.7.0, < 3.7.11 | 3.7.11 | Mar 11, 2026 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization | ||
| CVE-2026-23960 | — | < 3.6.17 | 3.6.17 | Jan 21, 2026 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser u | ||
| CVE-2025-66626 | — | >= 3.7.0, < 3.7.5 | 3.7.5 | Dec 9, 2025 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's | ||
| CVE-2025-62157 | — | >= 3.7.0, < 3.7.3 | 3.7.3 | Oct 14, 2025 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Argo Workflows versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 expose artifact repository credentials in plaintext in workflow-controller pod logs. An attack | ||
| CVE-2025-62156 | — | < 3.6.12 | 3.6.12 | Oct 14, 2025 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 contain a Zip Slip path traversal vulnerability in artifact extraction. During artifact extraction the unpack | ||
| CVE-2024-53862 | — | >= 3.5.7, < 3.5.13 | 3.5.13 | Dec 2, 2024 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}` | ||
| CVE-2024-47827 | — | >= 3.6.0-rc1, < 3.6.0-rc2 | 3.6.0-rc2 | Oct 28, 2024 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Due to a race condition in a global variable in 3.6.0-rc1, the argo workflows controller can be made to crash on-command by any user with access to execute a workflow. | ||
| CVE-2022-29164 | — | >= 2.6.0, < 3.2.11 | 3.2.11 | May 5, 2022 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. In affected versions an attacker can create a workflow which produces a HTML artifact containing an HTML file that contains a script which uses XHR calls to interact w | ||
| CVE-2021-37914 | — | >= 3.1.0, < 3.1.6 | 3.1.6 | Aug 2, 2021 | In Argo Workflows through 3.1.3, if EXPRESSION_TEMPLATES is enabled and untrusted users are allowed to specify input parameters when running workflows, an attacker may be able to disrupt a workflow because expression template output is evaluated. |
- affected < 3.7.14fixed 3.7.14
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts,
- affected < 3.7.14fixed 3.7.14
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. Thi
- affected >= 3.7.0, < 3.7.14fixed 3.7.14
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed work
- CVE-2026-31892Mar 11, 2026affected < 3.7.11fixed 3.7.11
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 2.9.0 to before 4.0.2 and 3.7.11, A user who can submit Workflows can completely bypass all security settings defined in a WorkflowTemplate by including a podSpec
- CVE-2026-28229Mar 11, 2026affected >= 3.7.0, < 3.7.11fixed 3.7.11
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization
- CVE-2026-23960Jan 21, 2026affected < 3.6.17fixed 3.6.17
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser u
- CVE-2025-66626Dec 9, 2025affected >= 3.7.0, < 3.7.5fixed 3.7.5
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's
- CVE-2025-62157Oct 14, 2025affected >= 3.7.0, < 3.7.3fixed 3.7.3
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Argo Workflows versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 expose artifact repository credentials in plaintext in workflow-controller pod logs. An attack
- CVE-2025-62156Oct 14, 2025affected < 3.6.12fixed 3.6.12
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 contain a Zip Slip path traversal vulnerability in artifact extraction. During artifact extraction the unpack
- CVE-2024-53862Dec 2, 2024affected >= 3.5.7, < 3.5.13fixed 3.5.13
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}`
- CVE-2024-47827Oct 28, 2024affected >= 3.6.0-rc1, < 3.6.0-rc2fixed 3.6.0-rc2
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Due to a race condition in a global variable in 3.6.0-rc1, the argo workflows controller can be made to crash on-command by any user with access to execute a workflow.
- CVE-2022-29164May 5, 2022affected >= 2.6.0, < 3.2.11fixed 3.2.11
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. In affected versions an attacker can create a workflow which produces a HTML artifact containing an HTML file that contains a script which uses XHR calls to interact w
- CVE-2021-37914Aug 2, 2021affected >= 3.1.0, < 3.1.6fixed 3.1.6
In Argo Workflows through 3.1.3, if EXPRESSION_TEMPLATES is enabled and untrusted users are allowed to specify input parameters when running workflows, an attacker may be able to disrupt a workflow because expression template output is evaluated.