Argo Vulnerable to Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor — CVE-2026-42294
GitHub · GitHub · CVE-2026-42294
ID
CVE-2026-42294
CVE-2026-42294
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
8.2
8.2
EPSS
0.00042
0.00042
Summary
**Severity:** Medium **Component:** Webhook Interceptor (`server/auth/webhook`) **Vulnerability Type:** Denial of Service (DoS) ## Description The Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the `/api/v1/events/` endpoint, which is publicly accessible (albeit intended for webhooks). An attacker can send a request with an…
Product
go: github.com/argoproj/argo-workflows/v3 | go: github.com/argoproj/argo-workflows/v4
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.