CVE-2026-42297
Published: 09 May 2026
Summary
CVE-2026-42297 is a high-severity Missing Authorization (CWE-862) vulnerability in Argoproj Argo Workflows. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-28895
Vulnerability details
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operations (create, read, update, delete).…
more
Any authenticated user — including those using fake Bearer tokens — can create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits. This issue has been patched in version 4.0.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (CWE-862) on the Argo Workflows Sync Service API directly enables remote exploitation of the public-facing workflow engine to perform unauthorized ConfigMap CRUD operations.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring a decision for every access request prevents missing authorization checks that would otherwise allow unauthorized access.
Always invoking the reference monitor prevents missing authorization checks for protected resources.
Requiring enforcement of authorizations ensures checks are performed rather than omitted for resources.
Decoy endpoints catch forced browsing and direct requests, deflecting attackers from legitimate resources while enabling analysis.
Prevents missing authorization checks for input operations by restricting the capability itself.
Requiring an access control policy ensures authorization checks are defined and applied for critical functions.
Reviews of access controls detect missing authorization checks on critical functions or resources.
Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.