CVE-2026-42297
Argo Workflows Is Missing Authorization in Sync ConfigMap Provider
Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operations (create, read, update, delete). Any authenticated user — including those using fake Bearer tokens — can create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits. This issue has been patched in version 4.0.5.
How to fix CVE-2026-42297
To remediate CVE-2026-42297, upgrade the affected package to a fixed version below.
- —upgrade to 4.0.5 or later
- —upgrade to 4.0.5 or later
Is CVE-2026-42297 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 4.0.0, < 4.0.5
- >= 4.0.0, < 4.0.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:H/SA:H |