Improper access control in Argo Workflows - #VU126903
Published: July 22, 2021 / Updated: April 23, 2026
Vulnerability identifier: #VU126903
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Argo Workflows
Argo Workflows
Software vendor:
Argo
Argo
Description
The vulnerability allows a remote user to execute arbitrary code on the Kubernetes cluster.
The vulnerability exists due to improper access control in Argo Server when the user interface is exposed to the internet while using --auth-mode=server. A remote user can access the exposed interface to execute arbitrary code on the Kubernetes cluster.
Only deployments using Argo Server with --auth-mode=server and an internet-exposed UI are vulnerable.
Remediation
Install security update from vendor's website.