Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

argoproj — Vulnerabilities & Security Advisories 62

Browse all 62 CVE security advisories affecting argoproj. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Argo Projects is an open-source cloud-native toolset primarily used for Kubernetes workflow orchestration and continuous delivery. Its core components, including Argo Workflows and Argo CD, facilitate complex pipeline automation and GitOps practices. Historically, the ecosystem has faced numerous security challenges, with records indicating approximately 56 Common Vulnerabilities and Exposures (CVEs). These issues predominantly involve privilege escalation, cross-site scripting (XSS), and remote code execution (RCE), often stemming from improper input validation or insufficient access controls within the web interfaces and API servers. While no single catastrophic incident has defined the project’s history, the high volume of vulnerabilities highlights the complexity of managing stateful applications in dynamic environments. Users are advised to maintain strict version control and apply security patches promptly to mitigate risks associated with these historically common vulnerability classes.

Top products by argoproj: argo-cd argo-workflows argo-events argo-helm Argo CD
CVE IDTitleCVSSSeverityPublished
CVE-2026-42296 Argo Workflows has incomplete fix for CVE-2026-31892: hostNetwork, securityContext, serviceAccountName bypass templateReferencing Strict/Secure — argo-workflowsCWE-863 8.1 High2026-05-09
CVE-2026-42295 Argo Workflows: Exposure of artifact repository credentials — argo-workflowsCWE-522 8.1AIHighAI2026-05-09
CVE-2026-42294 Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor — argo-workflowsCWE-770 6.5AIMediumAI2026-05-09
CVE-2026-42183 Argo Workflows: SSO RBAC Delegation Nil Pointer Dereference DoS (gatekeeper.go) — argo-workflowsCWE-476 6.5AIMediumAI2026-05-09
CVE-2026-42297 Argo Workflows Is Missing Authorization in Sync ConfigMap Provider — argo-workflowsCWE-862 8.8AIHighAI2026-05-09
CVE-2026-42880 ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction — argo-cdCWE-200 9.6 Critical2026-05-07
CVE-2026-43824 Argo CD 安全漏洞 — Argo CDCWE-212 7.7 High2026-05-02
CVE-2026-40886 Argo Workflows: Unchecked annotation parsing in pod informer crashes Argo Workflows controller — argo-workflowsCWE-129 7.7 High2026-04-23
CVE-2026-31892 WorkflowTemplate Security Bypass via podSpecPatch in Strict/Secure Reference Mode — argo-workflowsCWE-863 8.8 -2026-03-11
CVE-2026-28229 Argo Workflows has unauthorized access to Argo Workflows Template — argo-workflowsCWE-863 9.8 Critical2026-03-11
CVE-2026-23960 Argo Workflows affected by stored XSS in the artifact directory listing — argo-workflowsCWE-79 5.4AIMediumAI2026-01-21
CVE-2025-66626 argoproj/argo-workflows is vulnerable to RCE via ZipSlip and symbolic links — argo-workflowsCWE-23 8.1 High2025-12-09
CVE-2025-62157 Argo Workflows exposes artifact repository credentials in workflow-controller logs — argo-workflowsCWE-522 8.1AIHighAI2025-10-14
CVE-2025-62156 argo-workflows Zip Slip path traversal allows arbitrary file write and container configuration overwrite — argo-workflowsCWE-22 8.1 High2025-10-14
CVE-2025-59538 Argo CD is Vulnerable to Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook — argo-cdCWE-248 7.5 High2025-10-01
CVE-2025-59537 argo-cd is vulnerable to unauthenticated DoS attack via malformed Gogs webhook payload — argo-cdCWE-20 7.5 High2025-10-01
CVE-2025-59531 Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload — argo-cdCWE-703 7.5 High2025-10-01
CVE-2025-55191 Repository Credentials Race Condition Crashes Argo CD Server — argo-cdCWE-362 6.5 Medium2025-09-30
CVE-2025-55190 Argo CD: Project API Token Exposes Repository Credentials — argo-cdCWE-200 10.0 Critical2025-09-04
CVE-2025-47933 Argo CD allows cross-site scripting on repositories page — argo-cdCWE-79 9.1 Critical2025-05-29
CVE-2025-32445 Users can gain privileged access to the host system and cluster with EventSource and Sensor CR — argo-eventsCWE-250 10.0 Critical2025-04-15
CVE-2025-23216 Argo CD does not scrub secret values from patch errors — argo-cdCWE-209 6.8 Medium2025-01-30
CVE-2024-53862 Argo Workflows Allows Access to Archived Workflows with Fake Token in `client` mode — argo-workflowsCWE-200 9.1 -2024-12-02
CVE-2024-52814 Helm Lacks Granularity in Workflow Role — argo-helmCWE-1220 2.8 Low2024-11-22
CVE-2024-52799 Argo Workflows Chart: Excessive Privileges in Workflow Role — argo-helmCWE-250 8.3 High2024-11-21
CVE-2024-47827 Argo Workflows Controller: Denial of Service via malicious daemon Workflows — argo-workflowsCWE-362 5.7 Medium2024-10-28
CVE-2024-41666 The Argo CD web terminal session does not handle the revocation of user permissions properly. — argo-cdCWE-269 4.7 Medium2024-07-24
CVE-2024-40634 Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint — argo-cdCWE-400 7.5 High2024-07-22
CVE-2024-37152 Unauthenticated Access to sensitive settings in Argo CD — argo-cdCWE-287 5.3 Medium2024-06-06
CVE-2024-36106 Argo CD allows authenticated users to enumerate clusters by name — argo-cdCWE-209 4.3 Medium2024-06-06

This page lists every published CVE security advisory associated with argoproj. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.