CVE-2026-42295— Argo Workflows: Exposure of artifact repository credentials
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42295
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Argo Workflows: Exposure of artifact repository credentials
Source: NVD (National Vulnerability Database)
Vulnerability Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials (S3 access keys, secret keys, GCS service account keys, Azure account keys, Git passwords, etc.) in plaintext on artifact operation. Any user with read access to workflow pod logs can extract these credentials. This issue has been patched in version 4.0.5.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
不充分的凭证保护机制
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| argoproj | argo-workflows | >= 4.0.0, < 4.0.5 | - |
II. Public POCs for CVE-2026-42295
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42295
请登录查看更多情报信息。
Same Patch Batch · argoproj · 2026-05-09 · 5 CVEs total
| CVE-2026-42296 | 8.1 HIGH | Argo Workflows has incomplete fix for CVE-2026-31892: hostNetwork, securityContext, servic |
| CVE-2026-42294 | Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor | |
| CVE-2026-42297 | Argo Workflows Is Missing Authorization in Sync ConfigMap Provider | |
| CVE-2026-42183 | Argo Workflows: SSO RBAC Delegation Nil Pointer Dereference DoS (gatekeeper.go) |
IV. Related Vulnerabilities
Same product: argo-workflows
- CVE-2026-42296
Argo Workflows has incomplete fix for CVE-2026-31892: hostNe - CVE-2026-42294
Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in W - CVE-2026-42183
Argo Workflows: SSO RBAC Delegation Nil Pointer Dereference - CVE-2026-42297
Argo Workflows Is Missing Authorization in Sync ConfigMap Pr - CVE-2026-40886
Argo Workflows: Unchecked annotation parsing in pod informer
Same vendor: argoproj
- CVE-2026-42296
Argo Workflows has incomplete fix for CVE-2026-31892: hostNe - CVE-2026-42294
Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in W - CVE-2026-42183
Argo Workflows: SSO RBAC Delegation Nil Pointer Dereference - CVE-2026-42297
Argo Workflows Is Missing Authorization in Sync ConfigMap Pr - CVE-2026-42880
ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Ext
Same weakness: CWE-522
- CVE-2026-41506
go-git Credential leak via cross-host redirect in smart HTTP - CVE-2025-62345
HCL BigFix RunBookAI is affected by a Continued availability - CVE-2026-23927
Agent 2 Oracle plugin TNS connection string injection via th - CVE-2026-42367
GeoVision LPC2011/LPC2211 Web Interface / ssi.cgi privilege - CVE-2026-6446
My Social Feeds <= 1.0.4 - Missing Authorization to Unauthen
V. Comments for CVE-2026-42295
No comments yet