CVE-2026-42295
Argo Workflows Credential Exposure in Artifact Logs
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| argo | workflows | From 4.0.0 (inc) to 4.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Argo Workflows versions from 4.0.0 to before 4.0.5. The workflow executor logs all artifact repository credentials, such as S3 access keys, secret keys, GCS service account keys, Azure account keys, and Git passwords, in plaintext during artifact operations. As a result, any user with read access to the workflow pod logs can extract these sensitive credentials.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive credentials used for accessing artifact repositories. If an attacker or unauthorized user gains read access to the workflow pod logs, they can retrieve these plaintext credentials and potentially misuse them to access or manipulate stored artifacts, cloud services, or source code repositories.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in Argo Workflows version 4.0.5. To mitigate this vulnerability, you should upgrade your Argo Workflows installation to version 4.0.5 or later.
Additionally, restrict read access to workflow pod logs to only trusted users, as any user with read access can extract sensitive credentials from the logs.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes sensitive credentials such as S3 access keys, secret keys, GCS service account keys, Azure account keys, and Git passwords to be logged in plaintext in workflow pod logs. Any user with read access to these logs can extract these credentials.
Exposure of such sensitive information can lead to unauthorized access and data breaches, which may violate data protection and privacy regulations like GDPR and HIPAA that require safeguarding of sensitive data and credentials.
Therefore, this vulnerability negatively impacts compliance with common standards and regulations by increasing the risk of unauthorized data access and potential data breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the logging of artifact repository credentials in plaintext within the workflow executor logs of Argo Workflows versions 4.0.0 to before 4.0.5. To detect if your system is affected, you should check the logs of workflow pods for any plaintext credentials such as S3 access keys, secret keys, GCS service account keys, Azure account keys, or Git passwords.
A practical approach is to access the logs of the workflow pods and search for keywords related to credentials. For example, you can use kubectl commands to retrieve logs and grep for common credential patterns.
- kubectl logs <workflow-pod-name> | grep -iE 'access_key|secret_key|service_account|password|token'
- kubectl logs <workflow-pod-name> --since=24h | grep -i 'credential'
If you find any such credentials in the logs, it indicates that your system is vulnerable if running a version between 4.0.0 and before 4.0.5. Upgrading to version 4.0.5 or later is recommended to mitigate this issue.