SB2024120237 - Missing Authorization in Argo Workflows
Published: December 2, 2024 Updated: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Missing Authorization (CVE-ID: CVE-2024-53862)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive workflow information.
The vulnerability exists due to missing authorization in the GET Workflow endpoint fallback to archived workflows when handling requests to retrieve archived workflows in client or sso mode. A remote attacker can send a request with a spoofed or otherwise unauthorized token to disclose sensitive workflow information.
Only deployments with workflow archiving enabled are affected.
Remediation
Install update from vendor's website.