Insufficiently protected credentials in Argo Workflows - CVE-2025-62157
Published: April 23, 2026
Vulnerability identifier: #VU126897
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-62157
CWE-ID: CWE-522
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Argo
Affected software:
Argo Workflows
Argo Workflows
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information and modify or delete stored artifacts.
The vulnerability exists due to insufficiently protected credentials in workflow-controller logs when handling workflow operations that log artifact repository credentials in plaintext. A remote privileged user can read the workflow-controller pod logs to obtain artifact repository credentials and use them to disclose sensitive information and modify or delete stored artifacts.
Exploitation requires access to read pod logs in a namespace with Argo Workflow.
How to mitigate CVE-2025-62157
Install security update from vendor's website.