PT-2026-37195 · Unknown · Argo Workflows
Nebojsaj1726
·
Published
2026-05-04
·
Updated
2026-05-12
·
CVE-2026-42297
CVSS v4.0
8.5
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:H/SA:H |
Name of the Vulnerable Software and Affected Versions
Argo Workflows versions 4.0.0 through 4.0.4
Description
The Sync Service's ConfigMap-backed provider in
server/sync/sync cm.go lacks authorization checks for all create, read, update, and delete (CRUD) operations. This allows any authenticated user, including those utilizing fake Bearer tokens, to perform these operations on Kubernetes ConfigMaps that store synchronization limits.Recommendations
Update to version 4.0.5.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Argo Workflows