SB2026042338 - Multiple vulnerabilities in Argo Workflows

Description

This security bulletin contains information about 2 vulnerabilities.

1) Improper access control (CVE-ID: CVE-2026-28229)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in workflow template and cluster workflow template endpoints when handling requests to retrieve templates. A remote attacker can send a request with a crafted bearer token to disclose sensitive information.

Exposed template content may include embedded Secret manifests, artifact locations, service account usage, environment variables, and resource manifests.

2) Incorrect authorization (CVE-ID: CVE-2026-31892)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to bypass security restrictions and gain root access to the underlying Kubernetes node.

The vulnerability exists due to incorrect authorization in the WorkflowTemplate reference handling and podSpecPatch processing when submitting a Workflow that references an approved WorkflowTemplate with a crafted podSpecPatch. A remote user can submit a Workflow containing a crafted podSpecPatch to bypass security restrictions and gain root access to the underlying Kubernetes node.

The issue occurs even when the controller is configured with templateReferencing set to Strict or Secure, because podSpecPatch takes precedence during spec merging and is applied without security validation.

Remediation

Install update from vendor's website.

References

• https://github.com/argoproj/argo-workflows/security/advisories/GHSA-56px-hm34-xqj5
• https://github.com/argoproj/argo-workflows/security/advisories/GHSA-3wf5-g532-rcrr