Vulnerability Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint, which is publicly accessible (albeit intended for webhooks). An attacker can send a request with an extremely large body (e.g., multiple gigabytes), causing the Argo Server to allocate excessive memory, potentially leading to an Out-Of-Memory (OOM) crash and denial of service. This issue has been patched in versions 3.7.14 and 4.0.5.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Argoproj | Argo Workflows | < 3.7.14 |
Related Weaknesses (CWE)
References
- https://github.com/argoproj/argo-workflows/commit/7abb4de6c3599e2d5d960ba4d5de4cPatch
- https://github.com/argoproj/argo-workflows/releases/tag/v3.7.14Release Notes
- https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5Release Notes
- https://github.com/argoproj/argo-workflows/security/advisories/GHSA-jcc8-g2q4-9fExploitVendor Advisory
- https://github.com/argoproj/argo-workflows/security/advisories/GHSA-jcc8-g2q4-9fExploitVendor Advisory
FAQ
What is CVE-2026-42294?
CVE-2026-42294 is a vulnerability with a CVSS score of 7.5 (HIGH). Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request bo...
How severe is CVE-2026-42294?
CVE-2026-42294 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-42294?
Check the references section above for vendor advisories and patch information. Affected products include: Argoproj Argo Workflows.