CVE-2026-28229 CRITICAL

CVE-2026-28229: Argo Workflows has unauthorized access to Argo Workflows Template

Vendor Argoproj
Product argo-workflows
Weakness CWE-863 · Incorrect authorization
Published March 11, 2026
Last update June 30, 2026
View on NVD All CVEs

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization: Bearer nothing token can leak sensitive template content, including embedded Secret manifests. This vulnerability is fixed in 4.0.2 and 3.7.11.

Key dates

02Disclosure timeline

March 11, 2026 CVE published
June 30, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-29943 Apache Solr Unprivileged users may be able to perform unauthorized read/write to collections CVE-2026-26205 opa-envoy-plugin has an Authorization Bypass via Double-Slash Path Misinterpretation in `input.parsed_path` CVE-2023-3033 Mobatime web application - broken authorisation mechanisms CVE-2026-42432 OpenClaw < 2026.4.8 - Command Escalation via Node Pairing Reconnect Bypass CVE-2025-20381 SPL commands allowlist controls bypass in Splunk MCP Server app through "run_splunk_query" MCP tool