Main Vulnerability Database SB20210722101

SB20210722101 - Improper access control in Argo Workflows

Published: July 22, 2021 Updated: April 23, 2026

Security Bulletin ID SB20210722101

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: N/A)

The vulnerability allows a remote user to execute arbitrary code on the Kubernetes cluster.

The vulnerability exists due to improper access control in Argo Server when the user interface is exposed to the internet while using --auth-mode=server. A remote user can access the exposed interface to execute arbitrary code on the Kubernetes cluster.

Only deployments using Argo Server with --auth-mode=server and an internet-exposed UI are vulnerable.

Remediation

Install update from vendor's website.

References

https://github.com/argoproj/argo-workflows/security/advisories/GHSA-rc7p-gmvh-xfx2
https://www.intezer.com/blog/container-security/new-attacks-on-kubernetes-via-misconfigured-argo-workflows/