CVE-2026-28229

Name of the Vulnerable Software and Affected Versions Argo Workflows versions prior to 4.0.2 and 3.7.11

Description Argo Workflows, an open source container-native workflow engine for Kubernetes, has an issue where Workflow templates endpoints allow any client to retrieve WorkflowTemplates and ClusterWorkflowTemplates. A request with an Authorization: Bearer nothing token can expose sensitive template content, including embedded Secret manifests. The issue stems from how informers use the server’s rest config, reading using server service account privileges. A proof-of-concept demonstrates the ability to leak template data, including secrets, artifact locations, service account usage, environment variables, and resource manifests.

Recommendations Update to Argo Workflows version 4.0.2 or 3.7.11.