CVE-2026-42294 | THREATINT

Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint, which is publicly accessible (albeit intended for webhooks). An attacker can send a request with an extremely large body (e.g., multiple gigabytes), causing the Argo Server to allocate excessive memory, potentially leading to an Out-Of-Memory (OOM) crash and denial of service. This issue has been patched in versions 3.7.14 and 4.0.5.

PUBLISHED Reserved 2026-04-26 | Published 2026-05-09 | Updated 2026-05-09 | Assigner GitHub_M

HIGH: 8.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-770: Allocation of Resources Without Limits or Throttling

Product status

< 3.7.14

affected

>= 4.0.0, < 4.0.5

affected

References

github.com/...kflows/security/advisories/GHSA-jcc8-g2q4-9fxq

github.com/...ommit/7abb4de6c3599e2d5d960ba4d5de4cf1df109965

github.com/argoproj/argo-workflows/releases/tag/v3.7.14

github.com/argoproj/argo-workflows/releases/tag/v4.0.5

cve.org (CVE-2026-42294)

nvd.nist.gov (CVE-2026-42294)

Download JSON