CVE-2026-42295: Argo vulnerable to exposure of artifact repository credentials
The workflow executor logs all artifact repository credentials (S3 access keys, secret keys, GCS service account keys, Azure account keys, Git passwords, etc.) in plaintext on artifact operation. Any user with read access to workflow pod logs can extract these credentials.
Note: This is an incomplete fix of CVE-2025-62157
References
- github.com/advisories/GHSA-7vf8-2cr6-54mf
- github.com/argoproj/argo-workflows
- github.com/argoproj/argo-workflows/blob/59f1089b9875723ddffd524513e6bd5cb37e5e31/workflow/artifacts/logging/driver.go
- github.com/argoproj/argo-workflows/commit/bdd40908580f727c590c8743836e338b04fe4a87
- github.com/argoproj/argo-workflows/releases/tag/v4.0.5
- github.com/argoproj/argo-workflows/security/advisories/GHSA-7vf8-2cr6-54mf
- github.com/argoproj/argo-workflows/security/advisories/GHSA-c2hv-4pfj-mm2r
- nvd.nist.gov/vuln/detail/CVE-2026-42295
Code Behaviors & Features
Detect and mitigate CVE-2026-42295 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →