CVE-2026-28229
Received Received - Intake
Unauthorized Access in Argo Workflows Exposes Sensitive Templates

Publication date: 2026-03-11

Last updated on: 2026-03-20

Assigner: GitHub, Inc.

Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization: Bearer nothing token can leak sensitive template content, including embedded Secret manifests. This vulnerability is fixed in 4.0.2 and 3.7.11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-20
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28229
EUVD
EUVD-2026-11196
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
argoproj argo_workflows From 4.0.0 (inc) to 4.0.2 (exc)
argoproj argo_workflows From 3.7.0 (inc) to 3.7.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28229 is a critical vulnerability in Argo Workflows, an open source container-native workflow engine for Kubernetes. In affected versions prior to 3.7.11 and between 4.0.0 and before 4.0.2, the WorkflowTemplates and ClusterWorkflowTemplates endpoints do not properly enforce authentication.'}, {'type': 'paragraph', 'content': 'This means that any client can send a request with an Authorization header containing the bearer token "nothing" and retrieve sensitive workflow template content, including embedded Kubernetes Secret manifests.'}, {'type': 'paragraph', 'content': 'The root cause is that the server functions responsible for retrieving these templates do not verify the authenticity or privileges of the requester, allowing unauthorized access to confidential data.'}] [1]

Impact Analysis

This vulnerability allows any unauthenticated attacker to remotely access and leak sensitive information stored in WorkflowTemplates and ClusterWorkflowTemplates.

  • Exposure of embedded Kubernetes Secret manifests, which may contain passwords, tokens, or keys.
  • Disclosure of artifact locations, service account details, environment variables, and resource manifests.

Because no authentication or user interaction is required, the attack is easy to perform and can lead to full data disclosure, potential data modification, and disruption of availability.

The vulnerability has a critical CVSS score of 9.8, indicating severe impact on confidentiality, integrity, and availability.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the Argo Workflows API endpoints for WorkflowTemplates or ClusterWorkflowTemplates using an Authorization header with a bearer token set to "nothing". If the server returns sensitive template content, including embedded Secret manifests, it indicates the system is vulnerable.'}, {'type': 'paragraph', 'content': 'A proof of concept involves sending an HTTP request to the Argo Server API with the header "Authorization: Bearer nothing" and checking if the response contains WorkflowTemplate data.'}, {'type': 'list_item', 'content': 'Use curl or a similar tool to send a request like: curl -H "Authorization: Bearer nothing" https://<argo-server>/api/v1/workflow-templates/<template-name>'}, {'type': 'list_item', 'content': 'If the response includes base64 encoded secret data or other sensitive template information, the vulnerability is present.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Argo Workflows to a patched version that addresses this vulnerability.

  • Upgrade to version 3.7.11 or later if using the 3.x series.
  • Upgrade to version 4.0.2 or later if using the 4.x series.

These versions include fixes that enforce proper authorization checks on the WorkflowTemplates and ClusterWorkflowTemplates endpoints, preventing unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28229. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart