Improper access control in Argo Workflows - CVE-2022-29164
Published: May 4, 2022 / Updated: April 23, 2026
Vulnerability identifier: #VU126899
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-29164
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Argo Workflows
Argo Workflows
Software vendor:
Argo
Argo
Description
The vulnerability allows a remote user to read information about the victim's workflows and create or delete workflows.
The vulnerability exists due to improper access control in HTML artifact handling when rendering a crafted HTML artifact that issues XHR requests to the Argo Server API. A remote user can send a deep-link to a crafted artifact to cause the victim's browser to interact with the API using the victim's privileges.
User interaction is required, and exploitation requires the ability to run workflows in the same cluster as the victim.
Remediation
Install security update from vendor's website.