CVE-2026-28229
- Source
- https://cve.org/CVERecord?id=CVE-2026-28229
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28229.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-28229
- Aliases
- Downstream
- Related
- Published
- 2026-03-11T15:37:47.338Z
- Modified
- 2026-03-26T09:14:29.308812Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Argo Workflows has unauthorized access to Argo Workflows Template
- Details
-
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization: Bearer nothing token can leak sensitive template content, including embedded Secret manifests. This vulnerability is fixed in 4.0.2 and 3.7.11.
- Database specific
{ "cwe_ids": [ "CWE-863" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28229.json" }- References
Affected packages
Git / github.com/argoproj/argo-workflows
Affected ranges
Affected versions
Other
ui-v3-rc1
v2.*
v2.0.0
v2.0.0-alpha1
v2.0.0-alpha2
v2.0.0-alpha3
v2.0.0-beta1
v2.1.0
v2.1.0-alpha1
v2.1.0-beta1
v2.1.0-beta2
v2.1.1
v2.10.0-rc1
v2.2.0
v2.2.1
v2.3.0-rc1
v2.3.0-rc2
v2.3.0-rc3
v3.*
v3.1.0-rc1
v3.2.0-rc1
v3.2.0-rc2
v3.2.0-rc3
v3.2.0-rc4
v3.3.0-rc1
v3.3.0-rc2
v3.3.0-rc3
v3.3.0-rc4
v3.3.0-rc5
v3.3.0-rc6
v3.3.0-rc7
v3.3.0-rc8
v3.4.0-rc1
v3.4.0-rc2
v3.4.0-rc3
v3.4.0-rc4
v3.5.0
v3.5.0-rc1
v3.5.0-rc2
v3.6.0
v3.6.0-rc1
v3.6.0-rc2
v3.6.0-rc3
v3.6.0-rc4
v3.7.0
v3.7.0-rc1
v3.7.0-rc2
v3.7.0-rc3
v3.7.0-rc4
v3.7.1
v3.7.10
v3.7.2
v3.7.3
v3.7.4
v3.7.5
v3.7.6
v3.7.7
v3.7.8
v3.7.9
v4.*
v4.0.0
v4.0.1