Unauthorized access to Argo Workflows Template — CVE-2026-28229
GitHub · GitHub · CVE-2026-28229
ID
CVE-2026-28229
CVE-2026-28229
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
7.5
7.5
EPSS
0.00063
0.00063
Summary
### Summary Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a `Authorization: Bearer nothing` token can leak sensitive template content, including embedded Secret manifests. ### Details https://github.com/argoproj/argo-workflows/blob/b519c9054e66b2f0a25eec06709717bd1362f72e/server/workflowtemplate/workflow_template_server.go#L60-L78…
Product
go: github.com/argoproj/argo-workflows/v4 | go: github.com/argoproj/argo-workflows/v3
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.