Sensitive Data Exposure in Argo Workflows by Argo Project
CVE-2026-42295

8.5HIGH

Key Information:

Vendor: Argoproj
Status: Argo-workflows
Vendor: CVE Published:; 9 May 2026

What is CVE-2026-42295?

Argo Workflows, a container-native orchestration tool for Kubernetes, has a vulnerability that allows credential exposure through logs. Versions prior to 4.0.5 log sensitive artifact repository credentials—including S3 access and secret keys, GCS service account keys, Azure account keys, and Git passwords—in plaintext. This poses a risk as any user with read access to the workflow pod logs can easily extract these credentials, potentially leading to unauthorized access. The issue is resolved in version 4.0.5.

Affected Version(s)

argo-workflows >= 4.0.0, < 4.0.5

References

https://github.com/argoproj/argo-workflows/security/advis...

x_refsource_CONFIRM

https://github.com/argoproj/argo-workflows/releases/tag/v...

x_refsource_MISC

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 9, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42295 Data

JSON

Argoproj

What is CVE-2026-42295?

Affected Version(s)

References

CVSS V4

Timeline