Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint, which is publicly accessible (albeit intended for webhooks). An attacker can send a request with an extremely large body (e.g., multiple gigabytes), causing the Argo Server to allocate excessive memory, potentially leading to an Out-Of-Memory (OOM) crash and denial of service. This issue has been patched in versions 3.7.14 and 4.0.5.
Published: 2026-05-09
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Argo Workflows’ Webhook Interceptor reads the entire request body into memory before performing authentication or signature validation. The /api/v1/events endpoint is publicly reachable, and an attacker can send a request with an extremely large body. The unbounded memory allocation can exhaust the Argo Server’s resources, causing an Out‑Of‑Memory crash and resulting in denial of service. This flaw corresponds to CWE‑770: Excessive Resource Consumption.

Affected Systems

The vulnerability affects the open‑source Argo Workflows engine delivered by argoproj. Versions prior to 3.7.14 and 4.0.5 are susceptible; the issue was addressed in the 3.7.14 and 4.0.5 releases.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity, and the vulnerability is not currently listed in the CISA KEV catalog. Because the /api/v1/events endpoint is reachable without authentication, an attacker can trigger the exploit over the public network. There is no EPSS score available, but the potential for resource exhaustion remains significant. The attack vector is a simple HTTP POST to the webhook endpoint with a large payload, which an adversary can conduct from any network location with connectivity to the Argo API.

Generated by OpenCVE AI on May 9, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Argo Workflows patch (v3.7.14 or v4.0.5) to remove the vulnerability.
  • Restrict the /api/v1/events endpoint to trusted IPs or network segments using Ingress or firewall rules to limit access until the patch is in place.
  • Configure request body size limits in the ingress controller or application layer to prevent unusually large payloads from consuming server memory.

Generated by OpenCVE AI on May 9, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jcc8-g2q4-9fxq Argo Vulnerable to Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor
History

Sat, 09 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Argoproj
Argoproj argo-workflows
Vendors & Products Argoproj
Argoproj argo-workflows

Sat, 09 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint, which is publicly accessible (albeit intended for webhooks). An attacker can send a request with an extremely large body (e.g., multiple gigabytes), causing the Argo Server to allocate excessive memory, potentially leading to an Out-Of-Memory (OOM) crash and denial of service. This issue has been patched in versions 3.7.14 and 4.0.5.
Title Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Argoproj Argo-workflows
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T03:45:48.180Z

Reserved: 2026-04-26T12:13:55.551Z

Link: CVE-2026-42294

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T04:16:24.903

Modified: 2026-05-09T04:16:24.903

Link: CVE-2026-42294

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T05:30:16Z

Weaknesses