CVE-2026-42294
Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor
Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint, which is publicly accessible (albeit intended for webhooks). An attacker can send a request with an extremely large body (e.g., multiple gigabytes), causing the Argo Server to allocate excessive memory, potentially leading to an Out-Of-Memory (OOM) crash and denial of service. This issue has been patched in versions 3.7.14 and 4.0.5.
How to fix CVE-2026-42294
To remediate CVE-2026-42294, upgrade the affected package to a fixed version below.
- —upgrade to 3.7.14 or later
- —upgrade to 3.7.14 or later
- —upgrade to 4.0.5 or later
Is CVE-2026-42294 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 3.7.14, >= 4.0.0, < 4.0.5
- from 0, < 3.7.14
- >= 4.0.0, < 4.0.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |