216.73.216.6

CVE-2026-42294

· Published 09/05/2026 04:16 · Modified 09/05/2026 04:16

Labels: CVE-2026-42294 2026-05-09CVE-2026-42294CWE-770[email protected]

Essential information

Published
09/05/2026 04:16
Modified
09/05/2026 04:16
Author
Creator
CVSS
8.2 HIGH (v3) 8.2 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint, which is publicly accessible (albeit intended for webhooks). An attacker can send a request with an extremely large body (e.g., multiple gigabytes), causing the Argo Server to allocate excessive memory, potentially leading to an Out-Of-Memory (OOM) crash and denial of service. This issue has been patched in versions 3.7.14 and 4.0.5.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
argoproj / argo workflows cpe:2.3:a:argoproj:argo_workflows:<3.7.14:*:*:*:*:*:*:*
argoproj / argo workflows cpe:2.3:a:argoproj:argo_workflows:<4.0.5:*:*:*:*:*:*:*

References