CVE-2026-42295

Name of the Vulnerable Software and Affected Versions Argo Workflows versions 4.0.0 through 4.0.4

Description The workflow executor logs artifact repository credentials in plaintext during artifact operations. This occurs because the logging driver passes the entire ArtifactDriver struct to the structured logger, exposing sensitive fields such as AccessKey, SecretKey, SessionToken, and ServerSideCustomerKey for S3, AccessKey, SecretKey, and SecurityToken for OSS, and ServiceAccountKey for GCS. Any user with Kubernetes RBAC permissions to read workflow pod logs can extract these credentials.

Recommendations Update to version 4.0.5.