anonhaven
Ad

CVE-2026-28229

CRITICAL CVSS 3.1: 7.5 EPSS 0.06%
Updated Mar 20, 2026
Kubernetes
Parameter Value
CVSS 7.5 (CRITICAL)
Affected Versions 3.7.0 — 4.0.2
Fixed In 4.0.2
Type CWE-863 (Incorrect Authorization)
Vendor Kubernetes
Public PoC No

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization: Bearer nothing token can leak sensitive template content, including embedded Secret manifests.

This vulnerability is fixed in 4.0.2 and 3.7.11.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-863 Incorrect Authorization

Vulnerable Products 2

Configuration From (including) Up to (excluding)
Argoproj Argo_Workflows
cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:*
 3.7.0 3.7.11
Argoproj Argo_Workflows
cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:*
 4.0.0 4.0.2

References 1

https://github.com/argoproj/argo-workflows/security/advisories/GHSA-56px-hm34-x…
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-40090

Kubernetes

7.1

CVE-2026-39884

Kubernetes

8.3

CVE-2026-34984

Kubernetes

7.1

CVE-2026-5483

Kubernetes

8.5

CVE-2026-35206

Helm

4.8