Argo Workflows Exposes Sensitive Template Content

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

Argo Workflows Exposes Sensitive Template Content

GHSA-56px-hm34-xqj5 CVE-2026-28229 BIT-argo-workflows-2026-28229

Summary

If you use Argo Workflows, an unauthorized user can access and view sensitive workflow templates, which may contain confidential data like passwords or API keys. This is a serious issue because it allows an attacker to gain access to sensitive information. Update to version 4.0.2 or 3.7.11 to fix the issue and prevent unauthorized access.

What to do

Update github.com argoproj to version 3.7.11.
Update github.com argoproj to version 4.0.2.
Update argo-workflows to version 4.0.2.

Affected software

Vendor	Product	Affected versions	Fix available
github.com	argoproj	<= 3.7.11	3.7.11
github.com	argoproj	<= 4.0.2	4.0.2
–	argo-workflows	> 4.0.0 , <= 4.0.2	4.0.2

Original title

Argo Workflows has unauthorized access to Argo Workflows Template

Original description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization: Bearer nothing token can leak sensitive template content, including embedded Secret manifests. This vulnerability is fixed in 4.0.2 and 3.7.11.

ghsa CVSS3.1 7.5

Vulnerability type

CWE-200 Information Exposure

CWE-863 Incorrect Authorization

Published: 13 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026