{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/argoproj/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":6.5,"id":"CVE-2025-62157"}],"_cs_exploited":false,"_cs_products":["argo-workflows"],"_cs_severities":["high"],"_cs_tags":["argo-workflows","credential-access","kubernetes"],"_cs_type":"advisory","_cs_vendors":["Argoproj","Google","Microsoft"],"content_html":"\u003cp\u003eArgo Workflows, a Kubernetes-native workflow engine, is vulnerable to credential exposure. Specifically, versions 4.0.0 through 4.0.4 inadvertently log artifact repository credentials in plaintext during artifact operations. This includes sensitive data like S3 Access Keys, Secret Keys, Session Tokens, Server-Side Customer Keys, OSS Access Keys, Secret Keys, Security Tokens, and GCS Service Account Keys. The vulnerability stems from the logging driver passing the entire ArtifactDriver struct to the structured logger. Any user with read access to workflow pod logs can extract these credentials, creating a significant security risk. This is an incomplete fix of CVE-2025-62157.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains read access to Kubernetes pod logs within the Argo Workflows namespace. This could be achieved through compromised credentials, misconfigured RBAC policies, or other Kubernetes vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a workflow that utilizes artifact storage, such as S3 or GCS.\u003c/li\u003e\n\u003cli\u003eThe workflow executes an artifact operation (upload or download).\u003c/li\u003e\n\u003cli\u003eArgo Workflows logs the entire ArtifactDriver struct, including the plaintext credentials, into the pod logs.\u003c/li\u003e\n\u003cli\u003eThe attacker queries the pod logs using \u003ccode\u003ekubectl\u003c/code\u003e or other Kubernetes tooling. For example: \u003ccode\u003ekubectl -n argo logs \u0026quot;cred-leak-test\u0026quot; -c wait\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the plaintext credentials (e.g., S3 Access Key and Secret Key) from the log output.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to access the artifact repository (e.g., S3 bucket) and potentially steal data or perform other unauthorized actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthorized access to artifact repositories used by Argo Workflows. This can lead to data breaches, as sensitive data stored in S3 buckets, GCS buckets, or other storage solutions can be exposed. The impact is especially severe if the compromised credentials have broad permissions or if the artifact repository contains highly sensitive data. This affects Argo Workflows versions 4.0.0, 4.0.1, 4.0.2, 4.0.3, and 4.0.4.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Argo Workflows to version 4.0.5 or later to remediate the vulnerability (CVE-2026-42295).\u003c/li\u003e\n\u003cli\u003eReview and restrict Kubernetes RBAC permissions to limit access to pod logs, following the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eImplement log monitoring and alerting for unusual access patterns to Kubernetes pod logs.\u003c/li\u003e\n\u003cli\u003eRotate any potentially exposed artifact repository credentials (S3 access keys, GCS service account keys, etc.) if Argo Workflows versions 4.0.0-4.0.4 were in use.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T20:12:01Z","date_published":"2026-05-04T20:12:01Z","id":"/briefs/2024-01-09-argo-cred-leak/","summary":"Argo Workflows versions 4.0.0 to 4.0.4 log artifact repository credentials in plaintext, allowing users with read access to pod logs to extract sensitive information such as S3 access keys and GCS service account keys.","title":"Argo Workflows Credentials Exposed in Pod Logs","url":"https://feed.craftedsignal.io/briefs/2024-01-09-argo-cred-leak/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Argo Workflows \u003c 3.7.14","Argo Workflows \u003e= 4.0.0","Argo Workflows \u003c 4.0.5"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","argo-workflows","cloud"],"_cs_type":"advisory","_cs_vendors":["Argoproj"],"content_html":"\u003cp\u003eArgo Workflows is vulnerable to a denial-of-service (DoS) attack (CVE-2026-42294) due to unbounded memory allocation in the Webhook Interceptor. The vulnerability resides in the \u003ccode\u003eserver/auth/webhook/interceptor.go\u003c/code\u003e component, specifically within the \u003ccode\u003e/api/v1/events/\u003c/code\u003e endpoint. This endpoint, intended for webhook integrations, reads the entire request body into memory without proper size limits, leading to potential memory exhaustion. An attacker can exploit this vulnerability by sending a crafted request with an extremely large body, causing the Argo Server to allocate excessive memory and potentially crash, resulting in a denial of service. Affected versions include Argo Workflows versions prior to 3.7.14 and versions 4.0.0 up to 4.0.5.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Argo Workflows instance with a publicly accessible \u003ccode\u003e/api/v1/events/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request targeting the \u003ccode\u003e/api/v1/events/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eContent-Length\u003c/code\u003e header of the request to a very large value (e.g., 1GB or more).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious request with a large amount of arbitrary data as the request body.\u003c/li\u003e\n\u003cli\u003eThe Argo Server receives the request and, within the \u003ccode\u003eWebhookInterceptor\u003c/code\u003e, calls \u003ccode\u003eio.ReadAll(r.Body)\u003c/code\u003e, allocating memory to store the entire request body.\u003c/li\u003e\n\u003cli\u003eDue to the large request body, the Argo Server\u0026rsquo;s memory consumption increases significantly.\u003c/li\u003e\n\u003cli\u003eIf the attacker sends a sufficiently large request, the Argo Server exhausts its available memory.\u003c/li\u003e\n\u003cli\u003eThe Argo Server process crashes due to an Out-Of-Memory (OOM) error, leading to a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition, disrupting workflow execution and API access for all users of the Argo Workflows instance. The Argo Server crashes, making it unavailable until restarted. This impacts service availability and potentially causes data loss if workflows are interrupted during execution. The number of victims depends on the number of Argo Workflows instances exposed and targeted by attackers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnforce a strict limit on webhook body size (e.g., 10MB) using \u003ccode\u003ehttp.MaxBytesReader\u003c/code\u003e or similar mechanisms within your ingress controller or reverse proxy to prevent oversized requests from reaching the Argo Server.\u003c/li\u003e\n\u003cli\u003eUpgrade Argo Workflows to version 3.7.14 or 4.0.5 or later to patch CVE-2026-42294 and mitigate the risk of denial-of-service attacks.\u003c/li\u003e\n\u003cli\u003eMonitor memory usage of the Argo Server process and set up alerts for unusually high memory consumption to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T20:11:01Z","date_published":"2026-05-04T20:11:01Z","id":"/briefs/2026-05-argo-dos/","summary":"Argo Workflows is vulnerable to a denial-of-service (DoS) attack due to unbounded memory allocation in the Webhook Interceptor component.","title":"Argo Workflows Webhook Interceptor Vulnerable to Unauthenticated Memory Exhaustion (CVE-2026-42294)","url":"https://feed.craftedsignal.io/briefs/2026-05-argo-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Argoproj","version":"https://jsonfeed.org/version/1.1"}