Go modules package
github.com/argoproj/argo-workflows/v4
pkg:golang/github.com/argoproj/argo-workflows/v4
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42297 | Hig | 8.3 | >= 4.0.0, < 4.0.5 | 4.0.5 | May 9, 2026 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operat | |
| CVE-2026-42296 | Hig | 8.1 | >= 4.0.0, < 4.0.5 | 4.0.5 | May 9, 2026 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, | |
| CVE-2026-42295 | Med | 4.9 | >= 4.0.0, < 4.0.5 | 4.0.5 | May 9, 2026 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials (S3 access keys, secret keys, GCS service account keys, Azur | |
| CVE-2026-42294 | Hig | 7.5 | >= 4.0.0, < 4.0.5 | 4.0.5 | May 9, 2026 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. Thi | |
| CVE-2026-42183 | Med | 6.5 | >= 4.0.0, < 4.0.5 | 4.0.5 | May 9, 2026 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, a nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization() causes a panic (denial of service) for SSO users | |
| CVE-2026-40886 | Hig | 7.7 | >= 4.0.0, < 4.0.5 | 4.0.5 | Apr 23, 2026 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed work | |
| CVE-2026-31892 | — | < 4.0.2 | 4.0.2 | Mar 11, 2026 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 2.9.0 to before 4.0.2 and 3.7.11, A user who can submit Workflows can completely bypass all security settings defined in a WorkflowTemplate by including a podSpec | ||
| CVE-2026-28229 | — | < 4.0.2 | 4.0.2 | Mar 11, 2026 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization |
- affected >= 4.0.0, < 4.0.5fixed 4.0.5
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operat
- affected >= 4.0.0, < 4.0.5fixed 4.0.5
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts,
- affected >= 4.0.0, < 4.0.5fixed 4.0.5
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials (S3 access keys, secret keys, GCS service account keys, Azur
- affected >= 4.0.0, < 4.0.5fixed 4.0.5
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. Thi
- affected >= 4.0.0, < 4.0.5fixed 4.0.5
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, a nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization() causes a panic (denial of service) for SSO users
- affected >= 4.0.0, < 4.0.5fixed 4.0.5
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed work
- CVE-2026-31892Mar 11, 2026affected < 4.0.2fixed 4.0.2
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 2.9.0 to before 4.0.2 and 3.7.11, A user who can submit Workflows can completely bypass all security settings defined in a WorkflowTemplate by including a podSpec
- CVE-2026-28229Mar 11, 2026affected < 4.0.2fixed 4.0.2
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization