Improper access control in Argo Workflows - CVE-2022-29164

 

Improper access control in Argo Workflows - CVE-2022-29164

Published: May 4, 2022 / Updated: April 23, 2026


Vulnerability identifier: #VU126899
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-29164
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Argo
Affected software:
Argo Workflows

Detailed vulnerability description

The vulnerability allows a remote user to read information about the victim's workflows and create or delete workflows.

The vulnerability exists due to improper access control in HTML artifact handling when rendering a crafted HTML artifact that issues XHR requests to the Argo Server API. A remote user can send a deep-link to a crafted artifact to cause the victim's browser to interact with the API using the victim's privileges.

User interaction is required, and exploitation requires the ability to run workflows in the same cluster as the victim.


How to mitigate CVE-2022-29164

Install security update from vendor's website.

Sources