Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operations (create, read, update, delete). Any authenticated user — including those using fake Bearer tokens — can create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits. This issue has been patched in version 4.0.5.
Published: 2026-05-09
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Sync Service’s ConfigMap‑backed provider in Argo Workflows implements no authorization checks for any CRUD operation. Consequently, any authenticated user—including one using a fabricated Bearer token—can create, read, update, or delete configuration in Kubernetes ConfigMaps that control workflow synchronization limits. Based on the description, it is inferred that manipulating these limits could lead to uncontrolled resource use, denial of service, or privilege escalation within the cluster.

Affected Systems

Versions of Argo Workflows from 4.0.0 up to 4.0.4 are affected. The vendor is argoproj:argo-workflows, and the flaw exists only in the Sync Service’s ConfigMap provider component. The problem was fixed in release 4.0.5.

Risk and Exploitability

The CVSS score of 8.5 denotes high severity. Although the EPSS score is not provided, based on the description it is inferred that exploitation is likely if an attacker gains any authenticated access or is able to produce a forged token. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the bug by sending authenticated requests to the Sync Service endpoints to manipulate ConfigMaps, potentially enabling escalation or disruption of workflow orchestration.

Generated by OpenCVE AI on May 9, 2026 at 05:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Argo Workflows to version 4.0.5 or later, which includes the missing authorization checks for the ConfigMap provider.
  • If an upgrade is not immediately possible, disable or remove the Sync Service’s ConfigMap provider from the cluster configuration, thereby eliminating the insecure endpoint.
  • Review and tighten Kubernetes RBAC so that only trusted service accounts can authenticate with the Argo Workflows API, which limits the impact of forged tokens.
  • Monitor traffic to the Sync Service endpoints for unexpected create, read, update, or delete operations on ConfigMaps.

Generated by OpenCVE AI on May 9, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xchc-cqwg-g76q Argo has Missing Authorization in its Sync ConfigMap Provider
History

Sat, 09 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Argoproj
Argoproj argo-workflows
Vendors & Products Argoproj
Argoproj argo-workflows

Sat, 09 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operations (create, read, update, delete). Any authenticated user — including those using fake Bearer tokens — can create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits. This issue has been patched in version 4.0.5.
Title Argo Workflows Is Missing Authorization in Sync ConfigMap Provider
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:H/SA:H'}

Subscriptions

Argoproj Argo-workflows
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T03:42:43.305Z

Reserved: 2026-04-26T12:13:55.552Z

Link: CVE-2026-42297

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T04:16:25.727

Modified: 2026-05-09T04:16:25.727

Link: CVE-2026-42297

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T06:00:12Z

Weaknesses