Argo Workflows Vulnerability in Sync Service by Argo Project
CVE-2026-42297

8.5HIGH

Key Information:

Vendor

Argoproj

Status
Argo-workflows
Vendor
CVE Published:
9 May 2026

What is CVE-2026-42297?

Argo Workflows, a prominent open-source container-native workflow engine for Kubernetes, has a vulnerability that affects versions 4.0.0 through 4.0.4. This issue arises from the Sync Service's ConfigMap-backed provider, which performs no authorization checks during CRUD operations. As a result, any authenticated user, even those leveraging counterfeit Bearer tokens, can improperly create, read, update, or delete Kubernetes ConfigMaps linked to synchronization limits. This flaw poses significant risks, as it enables unauthorized manipulation of critical configuration settings. The issue has been addressed in version 4.0.5, and users are encouraged to upgrade to maintain security.

Affected Version(s)

argo-workflows >= 4.0.0, < 4.0.5

References

https://github.com/argoproj/argo-workflows/security/advis...
x_refsource_CONFIRM
https://github.com/argoproj/argo-workflows/commit/09fff05...
x_refsource_MISC
https://github.com/argoproj/argo-workflows/releases/tag/v...
x_refsource_MISC

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.