Vulnerability Details CVE-2026-28229
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization: Bearer nothing token can leak sensitive template content, including embedded Secret manifests. This vulnerability is fixed in 4.0.2 and 3.7.11.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 16.9%
CVSS Severity
CVSS v3 Score 9.8
Products affected by CVE-2026-28229
-
cpe:2.3:a:argoproj:argo_workflows:3.7.0
-
cpe:2.3:a:argoproj:argo_workflows:3.7.1
-
cpe:2.3:a:argoproj:argo_workflows:3.7.2
-
cpe:2.3:a:argoproj:argo_workflows:3.7.3
-
cpe:2.3:a:argoproj:argo_workflows:3.7.4
-
cpe:2.3:a:argoproj:argo_workflows:3.7.5
-
cpe:2.3:a:argoproj:argo_workflows:3.7.6
-
cpe:2.3:a:argoproj:argo_workflows:3.7.7
-
cpe:2.3:a:argoproj:argo_workflows:3.7.8
-
cpe:2.3:a:argoproj:argo_workflows:3.7.9
-
cpe:2.3:a:argoproj:argo_workflows:4.0.0