Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials (S3 access keys, secret keys, GCS service account keys, Azure account keys, Git passwords, etc.) in plaintext on artifact operation. Any user with read access to workflow pod logs can extract these credentials. This issue has been patched in version 4.0.5.
Published: 2026-05-09
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Argo Workflows stored all artifact repository credentials in plaintext within workflow executor logs. As a result, any user holding read access to pod logs can retrieve S3 access keys, GCS service account keys, Azure account keys, Git passwords, and similar secrets. This vulnerability allows an attacker with log‑read capabilities to obtain credentials that could compromise external storage services, source code repositories, or other resources tied to the workflow.

Affected Systems

The flaw exists in Argo Workflows versions 4.0.0 through 4.0.4, inclusive. Upgrading to version 4.0.5 or later removes the logging of credentials.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity flaw. While an EPSS score is not available, the vulnerability is accessible through log reading, which many cluster operators grant to developers or CI users. The flaw is not listed in the CISA KEV catalog, but the nature of the credential leakage poses a significant threat to confidentiality and potentially to the integrity of external services.

Generated by OpenCVE AI on May 9, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Argo Workflows to version 4.0.5 or later
  • Limit pod log reading ability to trusted administrators only
  • Audit existing logs for exposed credentials and rotate any compromised keys

Generated by OpenCVE AI on May 9, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7vf8-2cr6-54mf Argo vulnerable to exposure of artifact repository credentials
History

Sat, 09 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Argoproj
Argoproj argo-workflows
Vendors & Products Argoproj
Argoproj argo-workflows

Sat, 09 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials (S3 access keys, secret keys, GCS service account keys, Azure account keys, Git passwords, etc.) in plaintext on artifact operation. Any user with read access to workflow pod logs can extract these credentials. This issue has been patched in version 4.0.5.
Title Argo Workflows: Exposure of artifact repository credentials
Weaknesses CWE-522
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Argoproj Argo-workflows
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T03:48:02.754Z

Reserved: 2026-04-26T12:13:55.552Z

Link: CVE-2026-42295

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T04:16:25.367

Modified: 2026-05-09T04:16:25.367

Link: CVE-2026-42295

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T05:30:16Z

Weaknesses