HIGH8.1CVE-2026-42296Argo Workflows has incomplete fix for CVE-2026-31892: hostNetwork, securityContext, serviceAccountName bypass templateReferencing Strict/Secure from 0, < 3.7.14, >= 4.0.0, < 4.0.5
HIGH8.1CVE-2025-66626argoproj/argo-workflows is vulnerable to RCE via ZipSlip and symbolic links from 0, < 2.5.3, >= 3.0.0, < 3.6.14
HIGH8.1CVE-2025-62156argo-workflows Zip Slip path traversal allows arbitrary file write and container configuration overwrite from 0, < 3.6.12, >= 3.7.0, < 3.7.3
HIGH7.7Argo Workflows: Unchecked annotation parsing in pod informer crashes Argo Workflows controller
>= 3.6.5, < 3.7.14, >= 4.0.0, < 4.0.5
HIGH7.5Argo Workflows has unauthorized access to Argo Workflows Template
from 0, < 3.7.11, >= 4.0.0, < 4.0.2
HIGH7.1Privilege Escalation in argo-workflows
>= 2.6.0, < 3.2.11, >= 3.3.0, < 3.3.5
MEDIUM6.5Workflow re-write vulnerability using input parameter in github.com/argoproj/argo-workflows
from 0, < 3.1.4
MEDIUM5.7Argo Workflows Controller: Denial of Service via malicious daemon Workflows in github.com/argoproj/argo-workflows
>= 3.6.0-rc1, < 3.6.0-rc2
—Argo Workflows: Exposure of artifact repository credentials
>= 4.0.0, < 4.0.5
—Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor
from 0, < 3.7.14, >= 4.0.0, < 4.0.5
—Argo Workflows: SSO RBAC Delegation Nil Pointer Dereference DoS (gatekeeper.go)
>= 4.0.0, < 4.0.5
—Argo Workflows Is Missing Authorization in Sync ConfigMap Provider
>= 4.0.0, < 4.0.5
—WorkflowTemplate Security Bypass via podSpecPatch in Strict/Secure Reference Mode
>= 2.9.0, < 3.7.11, >= 4.0.0, < 4.0.2
—Argo Workflows affected by stored XSS in the artifact directory listing
from 0, < 3.6.17, >= 3.7.0, < 3.7.8
—Argo Workflows exposes artifact repository credentials in workflow-controller logs
from 0, < 3.6.12, >= 3.7.0, < 3.7.3
—Argo Workflows Allows Access to Archived Workflows with Fake Token in `client` mode
>= 3.5.7, < 3.6.2