CVE-2026-28229: Unauthorized access to Argo Workflows Template
Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization: Bearer nothing token can leak sensitive template content, including embedded Secret manifests.
References
- github.com/advisories/GHSA-56px-hm34-xqj5
- github.com/argoproj/argo-workflows
- github.com/argoproj/argo-workflows/commit/34afaf9c0c36f1ba8645d483ea4752cfc4a391e8
- github.com/argoproj/argo-workflows/releases/tag/v3.7.11
- github.com/argoproj/argo-workflows/releases/tag/v4.0.2
- github.com/argoproj/argo-workflows/security/advisories/GHSA-56px-hm34-xqj5
- nvd.nist.gov/vuln/detail/CVE-2026-28229
Code Behaviors & Features
Detect and mitigate CVE-2026-28229 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →