{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/argo-workflows--3.7.14/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Argo Workflows \u003c 3.7.14","Argo Workflows \u003e= 4.0.0","Argo Workflows \u003c 4.0.5"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","argo-workflows","cloud"],"_cs_type":"advisory","_cs_vendors":["Argoproj"],"content_html":"\u003cp\u003eArgo Workflows is vulnerable to a denial-of-service (DoS) attack (CVE-2026-42294) due to unbounded memory allocation in the Webhook Interceptor. The vulnerability resides in the \u003ccode\u003eserver/auth/webhook/interceptor.go\u003c/code\u003e component, specifically within the \u003ccode\u003e/api/v1/events/\u003c/code\u003e endpoint. This endpoint, intended for webhook integrations, reads the entire request body into memory without proper size limits, leading to potential memory exhaustion. An attacker can exploit this vulnerability by sending a crafted request with an extremely large body, causing the Argo Server to allocate excessive memory and potentially crash, resulting in a denial of service. Affected versions include Argo Workflows versions prior to 3.7.14 and versions 4.0.0 up to 4.0.5.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Argo Workflows instance with a publicly accessible \u003ccode\u003e/api/v1/events/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request targeting the \u003ccode\u003e/api/v1/events/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eContent-Length\u003c/code\u003e header of the request to a very large value (e.g., 1GB or more).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious request with a large amount of arbitrary data as the request body.\u003c/li\u003e\n\u003cli\u003eThe Argo Server receives the request and, within the \u003ccode\u003eWebhookInterceptor\u003c/code\u003e, calls \u003ccode\u003eio.ReadAll(r.Body)\u003c/code\u003e, allocating memory to store the entire request body.\u003c/li\u003e\n\u003cli\u003eDue to the large request body, the Argo Server\u0026rsquo;s memory consumption increases significantly.\u003c/li\u003e\n\u003cli\u003eIf the attacker sends a sufficiently large request, the Argo Server exhausts its available memory.\u003c/li\u003e\n\u003cli\u003eThe Argo Server process crashes due to an Out-Of-Memory (OOM) error, leading to a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition, disrupting workflow execution and API access for all users of the Argo Workflows instance. The Argo Server crashes, making it unavailable until restarted. This impacts service availability and potentially causes data loss if workflows are interrupted during execution. The number of victims depends on the number of Argo Workflows instances exposed and targeted by attackers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnforce a strict limit on webhook body size (e.g., 10MB) using \u003ccode\u003ehttp.MaxBytesReader\u003c/code\u003e or similar mechanisms within your ingress controller or reverse proxy to prevent oversized requests from reaching the Argo Server.\u003c/li\u003e\n\u003cli\u003eUpgrade Argo Workflows to version 3.7.14 or 4.0.5 or later to patch CVE-2026-42294 and mitigate the risk of denial-of-service attacks.\u003c/li\u003e\n\u003cli\u003eMonitor memory usage of the Argo Server process and set up alerts for unusually high memory consumption to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T20:11:01Z","date_published":"2026-05-04T20:11:01Z","id":"/briefs/2026-05-argo-dos/","summary":"Argo Workflows is vulnerable to a denial-of-service (DoS) attack due to unbounded memory allocation in the Webhook Interceptor component.","title":"Argo Workflows Webhook Interceptor Vulnerable to Unauthenticated Memory Exhaustion (CVE-2026-42294)","url":"https://feed.craftedsignal.io/briefs/2026-05-argo-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Argo Workflows \u003c 3.7.14","version":"https://jsonfeed.org/version/1.1"}