Argo Workflows Is Missing Authorization in Sync ConfigMap Provider

8.5 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:H/SA:H

Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operations (create, read, update, delete). Any authenticated user — including those using fake Bearer tokens — can create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits. This issue has been patched in version 4.0.5.

Basic Information

ID CVE-2026-42297

Source GitHub_M

Published May 9, 2026 at 03:42

Affected Product

Vendor argoproj

Product argo-workflows

Version >= 4.0.0, < 4.0.5

Affected Versions argoproj argo-workflows >= 4.0.0, < 4.0.5

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operations (create, read, update, delete). Any authenticated user \u2014 including those using fake Bearer tokens \u2014 can create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits. This issue has been patched in version 4.0.5.",
    "published": "2026-05-09T03:42:43.305Z",
    "modified": "2026-05-09T03:42:43.305Z",
    "type": "cve",
    "title": "Argo Workflows Is Missing Authorization in Sync ConfigMap Provider",
    "source": "GitHub_M",
    "references": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xchc-cqwg-g76q\nhttps://github.com/argoproj/argo-workflows/commit/09fff05e0830c14a5e36cc40597ad84881db1ab6\nhttps://github.com/argoproj/argo-workflows/releases/tag/v4.0.5",
    "id": "CVE-2026-42297",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "argoproj argo-workflows >= 4.0.0, < 4.0.5",
    "sourceHref": "",
    "cvss": {
        "score": 8.5,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "argo-workflows",
    "version": ">= 4.0.0, < 4.0.5",
    "vendor": "argoproj",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Argo Workflows Is Missing Authorization in Sync ConfigMap Provider_CVE-2026-42297