Argo has Missing Authorization in its Sync ConfigMap Provider — CVE-2026-42297
GitHub · GitHub · CVE-2026-42297
ID
CVE-2026-42297
CVE-2026-42297
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
8.5
8.5
EPSS
0.00036
0.00036
Summary
### Summary The Sync Service's ConfigMap-backed provider (`server/sync/sync_cm.go`) performs **zero authorization checks** on all CRUD operations (create, read, update, delete). Any authenticated user — including those using fake Bearer tokens — can create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits. ### Details The ConfigMap-backed provider (`server/sync/sync_cm.go`) has no…
Product
go: github.com/argoproj/argo-workflows/v4
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.