Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor
Summary
| CVE | CVE-2026-42294 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-09 04:16:24 UTC |
| Updated | 2026-06-30 03:19:36 UTC |
| Description | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint, which is publicly accessible (albeit intended for webhooks). An attacker can send a request with an extremely large body (e.g., multiple gigabytes), causing the Argo Server to allocate excessive memory, potentially leading to an Out-Of-Memory (OOM) crash and denial of service. This issue has been patched in versions 3.7.14 and 4.0.5. |
Risk And Classification
Primary CVSS: v4.0 8.2 HIGH from [email protected]
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000420000 probability, percentile 0.128600000 (date 2026-05-12)
Problem Types: CWE-770 | CWE-770 CWE-770: Allocation of Resources Without Limits or Throttling | CWE-770 Allocation of Resources Without Limits or Throttling
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 8.2 | HIGH | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | DECLARED | 8.2 | HIGH | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| 3.1 | [email protected] | Primary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Argoproj | Argo Workflows | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Argoproj | Argo-workflows | affected < 3.7.14 | Not specified |
| CNA | Argoproj | Argo-workflows | affected >= 4.0.0, < 4.0.5 | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/argoproj/argo-workflows/security/advisories/GHSA-jcc8-g2q4-9fxq | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | github.com | Exploit, Vendor Advisory |
| github.com/argoproj/argo-workflows/commit/7abb4de6c3599e2d5d960ba4d5de4c... | [email protected] | github.com | Patch |
| github.com/argoproj/argo-workflows/releases/tag/v3.7.14 | [email protected] | github.com | Release Notes |
| github.com/argoproj/argo-workflows/releases/tag/v4.0.5 | [email protected] | github.com | Release Notes |
| access.redhat.com/security/cve/CVE-2026-42294 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42294.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-05-09T05:01:16.989Z | Reported to Red Hat. |
| ADP | 2026-05-09T03:45:48.180Z | Made public. |
Workarounds
ADP: Upgrade Argo Workflows to version 3.7.14 or later (3.x line) or 4.0.5 or later (4.x line) in affected Red Hat OpenShift AI releases. Red Hat OpenShift AI engineering is expected to deliver updated Data Science Pipelines builds for affected streams (rhoai-2.25, rhoai-3.3, rhoai-3.4). Until updated images are available, restrict network access to the Argo Server webhook endpoint (/api/v1/events/) using Ingress rules, firewall policies, or Kubernetes NetworkPolicy so only trusted webhook sources can reach it. Configure request body size limits at the Ingress or load balancer layer (for example, a maximum body size well below multi-gigabyte payloads) to reduce the risk of memory exhaustion from oversized requests.