CVE-2026-28229
Unauthorized Access in Argo Workflows Exposes Sensitive Templates
Publication date: 2026-03-11
Last updated on: 2026-03-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| argoproj | argo_workflows | From 4.0.0 (inc) to 4.0.2 (exc) |
| argoproj | argo_workflows | From 3.7.0 (inc) to 3.7.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28229 is a critical vulnerability in Argo Workflows, an open source container-native workflow engine for Kubernetes. In affected versions prior to 3.7.11 and between 4.0.0 and before 4.0.2, the WorkflowTemplates and ClusterWorkflowTemplates endpoints do not properly enforce authentication.'}, {'type': 'paragraph', 'content': 'This means that any client can send a request with an Authorization header containing the bearer token "nothing" and retrieve sensitive workflow template content, including embedded Kubernetes Secret manifests.'}, {'type': 'paragraph', 'content': 'The root cause is that the server functions responsible for retrieving these templates do not verify the authenticity or privileges of the requester, allowing unauthorized access to confidential data.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows any unauthenticated attacker to remotely access and leak sensitive information stored in WorkflowTemplates and ClusterWorkflowTemplates.
- Exposure of embedded Kubernetes Secret manifests, which may contain passwords, tokens, or keys.
- Disclosure of artifact locations, service account details, environment variables, and resource manifests.
Because no authentication or user interaction is required, the attack is easy to perform and can lead to full data disclosure, potential data modification, and disruption of availability.
The vulnerability has a critical CVSS score of 9.8, indicating severe impact on confidentiality, integrity, and availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the Argo Workflows API endpoints for WorkflowTemplates or ClusterWorkflowTemplates using an Authorization header with a bearer token set to "nothing". If the server returns sensitive template content, including embedded Secret manifests, it indicates the system is vulnerable.'}, {'type': 'paragraph', 'content': 'A proof of concept involves sending an HTTP request to the Argo Server API with the header "Authorization: Bearer nothing" and checking if the response contains WorkflowTemplate data.'}, {'type': 'list_item', 'content': 'Use curl or a similar tool to send a request like: curl -H "Authorization: Bearer nothing" https://<argo-server>/api/v1/workflow-templates/<template-name>'}, {'type': 'list_item', 'content': 'If the response includes base64 encoded secret data or other sensitive template information, the vulnerability is present.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Argo Workflows to a patched version that addresses this vulnerability.
- Upgrade to version 3.7.11 or later if using the 3.x series.
- Upgrade to version 4.0.2 or later if using the 4.x series.
These versions include fixes that enforce proper authorization checks on the WorkflowTemplates and ClusterWorkflowTemplates endpoints, preventing unauthorized access.