Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization: Bearer nothing token can leak sensitive template content, including embedded Secret manifests. This vulnerability is fixed in 4.0.2 and 3.7.11.
Published: 2026-03-11
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Immediate Patch
AI Analysis

Impact

Argo Workflows versions prior to 4.0.2 and 3.7.11 allow any client to read WorkflowTemplates and ClusterWorkflowTemplates by sending an empty Authorization: Bearer token. The endpoint leaks the full template content, which can contain embedded Secret manifests. This unauthorized read leads to a clear data exposure scenario, where confidential configuration and credential information becomes accessible to attackers without authentication.

Affected Systems

The vendor is argoproj and the product is argo-workflows. All releases running a version earlier than 4.0.2 or 3.7.11 are affected; any later release contains the fix.

Risk and Exploitability

The CVSS score of 9.8 marks the vulnerability as critical, while the EPSS score below 1% indicates that exploitation is currently unlikely but still possible. The vulnerability is not listed in the CISA KEV catalog. Attacks can be performed remotely by simply issuing an HTTP request to the WorkflowTemplates endpoint with an empty bearer token, which then returns sensitive template data to the attacker.

Generated by OpenCVE AI on March 20, 2026 at 15:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade argo-workflows to version 4.0.2 or 3.7.11 or later.

Generated by OpenCVE AI on March 20, 2026 at 15:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-56px-hm34-xqj5 Unauthorized access to Argo Workflows Template
History

Fri, 20 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Argoproj argo Workflows
CPEs cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:*
Vendors & Products Argoproj argo Workflows

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Argoproj
Argoproj argo-workflows
Vendors & Products Argoproj
Argoproj argo-workflows

Wed, 11 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization: Bearer nothing token can leak sensitive template content, including embedded Secret manifests. This vulnerability is fixed in 4.0.2 and 3.7.11.
Title Argo Workflows has unauthorized access to Argo Workflows Template
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Argoproj Argo-workflows Argo Workflows
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T17:33:15.219Z

Reserved: 2026-02-25T15:28:40.651Z

Link: CVE-2026-28229

cve-icon Vulnrichment

Updated: 2026-03-11T17:33:04.105Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T16:16:40.477

Modified: 2026-03-20T14:27:59.017

Link: CVE-2026-28229

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-11T15:37:47Z

Links: CVE-2026-28229 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:55:27Z

Weaknesses