Denial of Service Vulnerability in Argo Workflows by Argo Project
CVE-2026-42294

8.2HIGH

Key Information:

Vendor

Argoproj

Status
Argo-workflows
Vendor
CVE Published:
9 May 2026

What is CVE-2026-42294?

Argo Workflows, a container-native workflow engine for Kubernetes, has a vulnerability in its Webhook Interceptor. The issue arises when the interceptor loads the entire request body into memory prior to performing authentication or signature verification on requests made to the publicly accessible /api/v1/events/ endpoint. Attackers can exploit this vulnerability by sending requests containing excessively large bodies, potentially causing the Argo Server to run out of memory and crash. This results in a denial of service for legitimate users. The vulnerability has been addressed in versions 3.7.14 and 4.0.5.

Affected Version(s)

argo-workflows < 3.7.14 < 3.7.14

argo-workflows >= 4.0.0, < 4.0.5 < 4.0.0, 4.0.5

References

https://github.com/argoproj/argo-workflows/security/advis...
x_refsource_CONFIRM
https://github.com/argoproj/argo-workflows/commit/7abb4de...
x_refsource_MISC
https://github.com/argoproj/argo-workflows/releases/tag/v...
x_refsource_MISC

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.