Argo vulnerable to exposure of artifact repository credentials — CVE-2026-42295
GitHub · GitHub · CVE-2026-42295
ID
CVE-2026-42295
CVE-2026-42295
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
8.5
8.5
EPSS
0.00036
0.00036
Summary
### Summary The workflow executor logs all artifact repository credentials (S3 access keys, secret keys, GCS service account keys, Azure account keys, Git passwords, etc.) in plaintext on artifact operation. Any user with read access to workflow pod logs can extract these credentials. **Note:** This is an incomplete fix of…
Product
go: github.com/argoproj/argo-workflows/v4
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.