CVE-2026-42297 HIGH

CVE-2026-42297: Argo Workflows Is Missing Authorization in Sync ConfigMap Provider

Vendor Argoproj
Product argo-workflows
Weakness CWE-862 · Missing authorization
Published May 9, 2026
Last update June 30, 2026

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:H/SA:H

What the vulnerability does

01Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operations (create, read, update, delete). Any authenticated user — including those using fake Bearer tokens — can create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits. This issue has been patched in version 4.0.5.

Key dates

02Disclosure timeline

May 9, 2026 CVE published
June 30, 2026 Record updated