CVE-2026-42294

Name of the Vulnerable Software and Affected Versions Argo Workflows versions prior to 3.7.14 Argo Workflows versions prior to 4.0.5

Description The Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the '/api/v1/events/' endpoint, which is publicly accessible. An attacker can send a request with an extremely large body, causing the Argo Server to allocate excessive memory, which may lead to an Out-Of-Memory (OOM) crash and denial of service. This issue is located in the addWebhookAuthorization() function within the server/auth/webhook component.

Recommendations Update to version 3.7.14 or later. Update to version 4.0.5 or later. Enforce a strict limit on webhook body size using http.MaxBytesReader. Implement streaming verification for signatures or use temporary files for large payloads.