Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials (S3 access keys, secret keys, GCS service account keys, Azure account keys, Git passwords, etc.) in plaintext on artifact operation. Any user with read access to workflow pod logs can extract these credentials. This issue has been patched in version 4.0.5.
Published: 2026-05-09
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Argo Workflows stored all artifact repository credentials in plaintext within workflow executor logs. As a result, any user holding read access to pod logs can retrieve S3 access keys, GCS service account keys, Azure account keys, Git passwords, and similar secrets. This vulnerability allows an attacker with log‑read capabilities to obtain credentials that could compromise external storage services, source code repositories, or other resources tied to the workflow.

Affected Systems

The flaw exists in Argo Workflows versions 4.0.0 through 4.0.4, inclusive. Upgrading to version 4.0.5 or later removes the logging of credentials.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity flaw. The EPSS score of 0.00042 indicates a very low exploitation probability, but the vulnerability is still accessible through log reading, which many cluster operators grant to developers or CI users. The flaw is not listed in the CISA KEV catalog, but the nature of the credential leakage poses a significant threat to confidentiality and potentially to the integrity of external services.

Generated by OpenCVE AI on May 19, 2026 at 01:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Argo Workflows to version 4.0.5 or later
  • Limit pod log reading ability to trusted administrators only
  • Audit existing logs for exposed credentials and rotate any compromised keys

Generated by OpenCVE AI on May 19, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7vf8-2cr6-54mf Argo vulnerable to exposure of artifact repository credentials
History

Tue, 19 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-256
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 15 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Argoproj argo Workflows
CPEs cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:*
Vendors & Products Argoproj argo Workflows
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Sat, 09 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Argoproj
Argoproj argo-workflows
Vendors & Products Argoproj
Argoproj argo-workflows

Sat, 09 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials (S3 access keys, secret keys, GCS service account keys, Azure account keys, Git passwords, etc.) in plaintext on artifact operation. Any user with read access to workflow pod logs can extract these credentials. This issue has been patched in version 4.0.5.
Title Argo Workflows: Exposure of artifact repository credentials
Weaknesses CWE-522
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Argoproj Argo-workflows Argo Workflows
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T14:47:01.190Z

Reserved: 2026-04-26T12:13:55.552Z

Link: CVE-2026-42295

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-09T04:16:25.367

Modified: 2026-05-15T19:40:36.453

Link: CVE-2026-42295

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-09T03:48:02Z

Links: CVE-2026-42295 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T02:00:14Z

Weaknesses
  • CWE-256

    Plaintext Storage of a Password

  • CWE-522

    Insufficiently Protected Credentials